1

I've read a lot of questions here about how login can be connected to SSL and so on, but still the idea is not that clear. Based on what I read that I need to have an SSL setup and installed on my web server so that I can use the https secure connection on the page where a login is going to be used. Ok, I have done that part,but still wondering what to include in the login code in order to have the entire session must be over https. in some sites they mention that I have to add this code tep_href_link(FILENAME_ACCOUNT, '', 'SSL') so that the php login page or code be secure.

any comments will be appreciated.

Thanks a lot.

Update: I believe that this code is very important to add so that the login page goes on the https. if(!isset($_SERVER['HTTPS'])) { header("location: https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
}

Digital site
  • 4,431
  • 12
  • 48
  • 72
  • 1
    tep_href_link is from oscommerce. Are you using oscommerce? Otherwise no. If you configure your web server correctly you shouldn't need to do anything special in PHP. – Cfreak Feb 04 '12 at 06:28
  • 1
    If you're using Apache, you can: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html – Jared Farrish Feb 04 '12 at 07:11
  • Thanks everybody for the great comments. No, I don't use OSC so true I don't need any configuration. And Yes, my HTTPS is working well and I can force all pages to have https as well. And Yes, I'm using Apache on Linux server. Thanks. – Digital site Feb 04 '12 at 08:46

2 Answers2

3

HTTPS represents using an algorithm to secure transport layer communications that encrypts what the browser and server are sending each other. The encrypted form that is sent over the network is expensive computationally to turn back into it's original content, unless whoever is decrypting the ciphertext has the paired private key (or... a "computationally weak" algorithm was used).

This is point to point (client sends request to server, server accepts, determines response, sends response), so the browser and server first exchange public keys that represent what the data you are sending or receiving is going to be "scrambled" against. A private key is held by the public key issuer that allows that computer to "descramble" and obtain the original content that was sent to the receiver.

So when you create a private/public key pair, the private key is kept (in confidence and secret) on the server, and the related public key is sent to the browser. The browser, likewise, does the same thing and transmits a public key to the server.

"Protecting" sensitive information is not all that's going on; you may also use SSL/TLS to prevent tampering with data, for example, or even as an additional verification step.

To get HTTPS setup and available for you to use, you need to:

  1. Procure a public/private key (signing by a certificate authority, or CA, is potentially optional depending on your end users).
  2. Install it into the key store on the server that is available to your web server. OpenSSL is used for both of these steps in many cases.
  3. Setup your system to use HTTPS URLs (for all resources, not just a <form action="https://...">s).

Couple of notes:

  • Browsers have their own certificates, so don't worry about that.
  • Many CMS' and frameworks allow you to specify HTTPS at the application layer

You can use WireShark to inspect what your computer is actually sending and receiving. This can be very illuminating, especially in combination with viewing the request/response in Firebug or Chrome Net consoles.

PHP online manual has the OpenSSL "book". Here is an example of how CodeIgniter handles configuring HTTPS at the application level.

There's various tutorials on how to setup SSL on a LAMP stack. Here is a tutorial on WAMP2 HTTPS and SSL Setup if you just need a development environment.

If you have a shared hosting environment, you may not be able to do the SSL setup on the server yourself; that may be handled by the server administrator. Check with your host. DreamHost, for example, has extensive docs.

Community
  • 1
  • 1
Jared Farrish
  • 48,585
  • 17
  • 95
  • 104
  • Thank you very much Jared. I read all the notes, and I gotta say brilliant. As for now, I setup the SSL on my web page and force the SSL to all pages. I guess I'm going to inspect what my computer sending/receiving by using wireshark. And for the SSL itself, it is a private one, not share. And it is already setup and working fine. All good for now. Thanks a lot. – Digital site Feb 04 '12 at 11:38
  • 1
    @Fxdigi, note that point 3 of Jared's answer is often neglected, but is very important. See [this answer](http://stackoverflow.com/a/9105894/372643) for details about the problem: checking `$_SERVER['HTTPS']`, using [`SSLRequireSSL`](http://stackoverflow.com/a/3729555/372643) or using `mod_rewrite` to force SSL from the server side won't fix these issues. Sending requests of HTTPS is ultimately up to the client: you should make sure your server tells it to do so (using appropriate links/URLs). – Bruno Feb 04 '12 at 18:36
1

Um, on a quick google, this function (tep_href_link) appears to be part of osCommerce. If your site has an SSL certificate setup properly, forcing users to an https url should be fine. If you don't know how to do that look into Location headers or mod_rewrite.

Also, as an aside, one thing you will need to do, is to ensure all links on the page are going over https. That will increase the likelihood of getting the green lock or w/e when a user comes to the page, assuming the cert isn't self-signed.

quickshiftin
  • 66,362
  • 10
  • 68
  • 89
  • 1
    Not just links, *all* resources (including JS/CSS files, images, etc.). – Jared Farrish Feb 04 '12 at 07:11
  • @quickshiftin, true. Thanks for the comments. You are right about green lock. My site shows the green lock when I enter the main page because it redirects to the domain with https and all browsers show green lock as well. Thank to all of you. Regards – Digital site Feb 04 '12 at 11:40