We recently installed SSL successfully onto our site. It is using a single directory for SSL and non SSL.

I have a couple of questions and problems and was hoping for some help.

Firstly which pages should be secure? I have so far planned on making the login and register pages secure. Should I also make the page that submits an order (php email) to the customer and company secure? What about updating the customer details.....

Secondly I am having problems with the first page I have tried to make secure, the login page.

I want is so that a customer goes to the http site, clicks login, is directed to the https page, they login then are directed back to the http site. This way in IE they will get a message saying they are going to a secure page, then login, then another message saying they are going to a non secure page.... However when I do a redirect it just hangs.

The other option is to have the whole site secure, but I have heard this slows down the site, plus it means all my image paths etc have to be changed to secure so I dont get the 'this page secure and non secure items' message.... and I just think the first option is the better way.

I have seen a website that does what I am after (just secures the login then puts them back into a non SSL site) but I don't know what they did (www.trademe.co.nz).

This is my normal redirect script that makes it hang:

<META HTTP-EQUIV="refresh" content="4" URL="<?php echo $securepath.'index.php'; ?>">

With the variable containing the entire https://www.domain.com/ path.


So to sum up, couple of questions:

1) Should i do SSL for any other pages besides login/register.... should I do it when an order is sent, a customer details are updated etc

2) How do I have a secure login page that redirects to a non secure page without hanging

I haven't included much code because there wasn't much outside the normal stuff but let me know if you want to see anything else...


Thank you.

it seems counterproductive to me to log someone in via SSL and then have them not securely browsing the site. if you're having such a problem with image URLs, for example, then all you really need to do is keep track of whether or not they're logged in, and keep a variable holding whichever domain and protocol you're using. if they're logged in, change it to https.

now, as far as which pages should be secure, I will go on to say that I think as soon as you login to a secure site, every single action should be secure. changing customer details (especially if you store financial stuff), placing orders, whatever. that's the whole point in using SSL. I have very little experience using SSL personally however, so I can't comment on whether or not having the entire site in SSL will slow it down. it very well may. but pretty much any reputable company that I've dealt with online is using SSL the second I login. the entire godaddy account manager is using SSL; the same goes for paypal and a few other sites.

finally, why are you using HTML to redirect in the first place? try using a header.

Hi,

Reading your post, it seems that you are talking about an ecommerce website here. When it comes to an ecommerce website, security is very important as this helps boost customers' confidence and the security of their payment details, etc. As of what page to make secured, the home page may not use https (as most banks do). You can leave that as a HTTP page. However, other pages especially from any login page and where transactions will start taking place should be https (as most banks, large institutions, etc do) and secured.

Hackers will try anything. So don't give them a chance. Your payment processing company or SSL will also have some security measures in place check that with them as well.

Once a client is in a secured part of the site or has logged in, all transactions will have to be done in an https environment until they have log out.

I have to agree with knows! If you want to have an unsecured website or web page you are just asking trouble. Also, from my experience of using ssl it doesn't slow the site down a great deal. Looking at it this way, the extra couple of seconds to load with ssl will give you added security on your site rather than without those extra couple of seconds.

A secure website is not just a website with SSL. There are many other factors that need to be taken into account when deciding how to secure a site and more importantly what to secure such as the security of the web application and how to identify the user

Any personally identifiable information should be encrypted before transit, as should login credentials, commercially sensitive information and financial data. Neglecting this will open an organisation up to all kinds of risks.

Thank you everyone for your advice.

The website does sell items. So basically a person logs in then adds items to their cart. Then they click checkout and are directed to an external DPS credit card site. Our website contains no credit card details, just a database storing the customers address and our products.

I must say I have only really noticed e commerce sites using HTTPS for when any client data is passed, .... not while browsing a site and adding items to a cart... e.g. www.ezibuy.co.nz or http://www.fishpond.co.nz/

For EZIBUY you log in securely then add items to the cart in normal HTTP. I can't see the need for the page to be SSL when you are just clicking items to add them to your cart?
The same for FISHPOND.... you can browse the site, add items to your cart, then login securely in SSL, then continue browsing the site in non SSL then when you checkout your back in SSL.

And when I say SSL slows the pages down, I meant that because its SSL the client doesn't store any information, so each page needs to be downloaded each time... but thats what I have read so I can't confirm that.

Anyways, thank you all for your comments, I'll have a think about it..... I do prefer to model it off similar sites though.

Am having some weird things happening that hopefully someone has had some experience with.

Forms that used to work fine are now instead going to index.php/ (another folder?) which I don't know where it gets that page from as its not my normal index.php - instead my CSS, images etc don't load on it its just a unformatted version of index.php (in both IE and firefox).

I believe the form itself is submitting as normal and going through the code because when I submit the login form and it changes to index.php/ if I click back I am logged in correctly.

If I change it from a form to a hyperlink that passes the variables in the URL it works, but of course I don't want to do it that way for registrations, orders, logins etc. It doesn't matter whether its a https page or not, even my http search is for whatever reason redirecting to index.php/

I don't know why its going to that page, and why its putting the folder / at the end of it.

Any suggestions are welcomed :)

well, you might have a header() redirection problem, something wrong with your htaccess file -- it could be a number of things. post some code or make a new, basic script that just submits to itself and see if that works. if it does, then it's something in your script. or possibly an htaccess problem.

Thanks kows. I did some testing as suggested. Firstly I created a simple form, that worked fine, so I added more details to it and then all of a sudden it started not working.

Turns out:
If my page is http://mydomain.com the form works.
If the page URL is http://www.mydomain.com the form does not work (it goes to index.php/ rather then the test results page).

Now http://www.mydomain.com forms used to work fine before I got SSL. I think the forms are still running through the code properly (storing variables, logging in etc), its just going to index.php/ for some reason rather then the page its meant to... does this sound like it could be related to htaccess?

I had a quick read of http://www.besthostratings.com/articles/force-ssl-htaccess.html which looks like htaccess forces HTTPS to the entire site, which is not what I am after, though am not sure whether this would fix my problem ;)

htaccess definitely does not force the website to use SSL, but it could if you applied those rules to it. if you're not applying those rules, then it has nothing to do with anything. if you don't have an htaccess file in your /www/ folder, it has nothing to do with htaccess, either.

is your www subdomain just a copy of the root of your "root" domain (mydomain.com)? do you have SSL only for the www subdomain, maybe? or only have SSL for the root domain?

you could try talking to your host, I've no idea what's wrong!

If you have an .htaccess file in your root directory, could you post the contents of that file here?

Ahem. :o

Thank you everyone. I have found what is causing it, my connect file has the following code:

//redirect to index if someone is posting variables
if($_SERVER['REQUEST_METHOD'] == "POST"){
$referer = parse_url($_SERVER['HTTP_REFERER']);
//redirect people posting to this website via another
if($referer['host'] != "mydomain.com"){
header("Location: http://www.mydomain.com/index.php/");
}
}


Now I have edited this to try and get it to include both HTTP and HTTPS but it is still redirecting me when I submit a form, am I using the or operator incorrectly?


//redirect to index if someone is posting variables
if($_SERVER['REQUEST_METHOD'] == "POST"){
$referer = parse_url($_SERVER['HTTP_REFERER']);

//redirect people posting to this website via another
if($referer['host'] != "https://www.mydomain.com" || "http://www.mydomain.com"){
header("Location: http://www.mydomain.com/index.php");
}
}


With SSL installed it doesn't like this code anymore, even though forms did work on both mydomain.com and www.mydomain.com before.

well, you are using OR wrong, but that isn't the only problem. proper syntax would be the same as using AND:

if(condition || other_condition)

//or:

if($name == "david" || $name == "something_else")

but, remember that an OR means that either of these conditions can be true an the IF statement will trigger.

the other problem is the way you're trying to evaluate the host. look at the above code, then look at your edited code. $referer['host'] doesn't look at the protocol scheme -- it looks at the host. the host is equal to "mydomain.com" -- it wouldn't have the protol attached like you've tried to do. you could do something like:

<?php
$protocol = parse_url($url, PHP_URL_SCHEME); //save for later
$host = parse_url($url, PHP_URL_HOST);

if($host != "mydomain.com && $host != "www.mydomain.com"){
header("Location: {$protocol}://www.mydomain.com/");
}
?>

that might be better for what you want?

Thank you everyone, I echo'd out the $host, which was www.mydomain.com but it kept redirecting rather then letting through www.mydomain.com or mydomain.com so I changed

if($host != "mydomain.com" && $host != "www.mydomain.com"){

to just be

if($host != "www.mydomain.com"){

As it should always be this generally and it works fine.

Unless they navigate to the site using http://mydomain.com in which case the first link they click on will redirect them, or if they use the search box on the homepage that will redirect them.

Thank you very much..... tried to give you rep kows after "spreading it round" but apparently I have to spread it more first.