Help PHP application over SSL

Greetings,

I am building a database-driven PHP application.
Part of that app needs to run over SSL for gathering private data.

Now, when someone purchases a certificate, the domain name is
hard-coded on the certificate, right?

If so, how can I run part of the application in regular mode (http) and
the rest in secure mode (https)?

The domain name on the certificate will be something like -
www.myDomain.com

But some of the pages will be secure and some not.

Is it possible to have something like this?
Will the certificate work ok?

And should I refer to the secure pages using absolute referencing
(https://www.myDomain.com/someDirectory/securePage.php)

Thanks for any help.

>I am building a database-driven PHP application.[color=blue]
>Part of that app needs to run over SSL for gathering private data.
>
>Now, when someone purchases a certificate, the domain name is
>hard-coded on the certificate, right?[/color]

Correct. A typical secure site really has *TWO* virtual sites, one
secure, one not secure (with the same domain name, e.g.
https://my.domain.com and http://my.domain.com). The not secure
part has the product descriptions and such in it (typically). The
secure part has the order form, etc. on it. Depending on how much
personal data the site handles, you may want most of it secure.
Your typical secure site has AT MINIMUM an un-secure entry page
which redirects or links to the secure entry page. Nobody is going
to remember to type the "https:" part in. So that unsecure part
brags about the security and links to the secure page, or just
redirects. IF THE USER HAS TO LOG IN, MAKE THE LOG IN PAGE SECURE,
not just the response after they log in. That way, the login info
is encrypted.
[color=blue]
>If so, how can I run part of the application in regular mode (http) and
>the rest in secure mode (https)?[/color]

Make sure you do NOT use insecure images on secure pages. Browsers
get upset about that. Otherwise, you treat it as two virtual sites
with different domains, cross-referencing each other. Limit links
to insecure pages from the secure pages, or label them with hints
like "exit secure site". Whether you use the secure or insecure
site depends on the http: vs. https: part.
[color=blue]
>The domain name on the certificate will be something like -
>www.myDomain.com
>
>But some of the pages will be secure and some not.[/color]

Fine. You can have a secure and insecure site with the same domain
name. They may or may not have the same document root. Treat them
the same way you would two different domains on separate virtual sites.
[color=blue]
>Is it possible to have something like this?
>Will the certificate work ok?[/color]

Yes.
[color=blue]
>And should I refer to the secure pages using absolute referencing
>(https://www.myDomain.com/someDirectory/securePage.php)[/color]

You can refer to secure pages from other secure pages of the same
domain with relative referencing. From an insecure page, it's like
you are referencing a whole different site (which it is), so you
need the absolute referencing.

Gordon L. Burditt

Harold Crump <orientletter@yahoo.com> wrote:
[snip][color=blue]
> But some of the pages will be secure and some not.
>
> Is it possible to have something like this?
> Will the certificate work ok?[/color]

PHP doesn't know anything about the transport other than what the httpd
tells PHP about it. So it makes no difference at all.
[color=blue]
> And should I refer to the secure pages using absolute referencing
> (https://www.myDomain.com/someDirectory/securePage.php)[/color]

With a little rewriteengine magic it's possible to create a relative URL
for the client which will be redirected to either http or https (it's an
example in apaches rewrite documenation).