I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
my database to the client browser. I was looking into a secure cookie. I only want the page
accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
the cookie regardless of if they are ssl connected or not. Any ideas???
TIA,
Rob
10  6975 
Spam Bill Gates wrote: I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
my database to the client browser. I was looking into a secure cookie. I only want the page
accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
the cookie regardless of if they are ssl connected or not. Any ideas???
if (!$_SERVER['HTTPS']) {
die();
}
That should work. Haven't tried it though, but the server HTTPS variable
should be set if the connection is SSL, atleast with Apache and mod_ssl.
Can't say about IIS, but if you do a print_r($_SERVE R) on a page through
SSL you'll find out soon enough :)
Roy W. Andersen
--
ra at broadpark dot no / http://roy.netgoth.org/
"Hey! What kind of party is this? There's no booze
and only one hooker!" - Bender, Futurama
On Mon, 10 Jan 2005 20:29:18 +0100, "Roy W. Andersen"
<ro******@netgo th.org> reverently intoned upon the aether: Spam Bill Gates wrote: I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
my database to the client browser. I was looking into a secure cookie. I only want the page
accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
the cookie regardless of if they are ssl connected or not. Any ideas???
if (!$_SERVER['HTTPS']) {
die();
}
That should work. Haven't tried it though, but the server HTTPS variable
should be set if the connection is SSL, atleast with Apache and mod_ssl.
Can't say about IIS, but if you do a print_r($_SERVE R) on a page through
SSL you'll find out soon enough :)
Roy W. Andersen
This is not necessarily true. Even using Apache and mod_ssl does not
guarantee this. There are many configuration issues involved, and it
may well show up by default, but it does not show up on the servers I
use. Albeit, I outsource hosting so I have limited control and less
liabilities (I am not responsible for making the system work, just my
code).
So if, if( isset( $_SERVER['HTTPS']) ) != true, does not work for you,
then I would simply suggest ensuring https is used via a redirect:
$site = 'www.whereever. net';
$ssl_Secure_SCR IPT_URI = "https://$site" . $_SERVER[PHP_SELF];
if( @strcasecmp($_S ERVER[SCRIPT_URI], $ssl_Secure_SCR IPT_URI) != 0 ){
header("locatio n:$ssl_Secure_S CRIPT_URI"); // Redirect browser
exit;
}
Put the above in an include file and require_once() this include file
in every page requiring encrypted access.
Some things to note:
1) This method does not look at GET data in the request. Hence, if
someone hacks out the 's' in the URI, then they get redirected to the
same page without any GET or POST data from the request. This is
okay, we are in an error state.
2) You might consider logging a protocol failure whenever the redirect
is needed.
3) $site would be best included from another file so that the domain
name for the site is only written down in exactly one location in the
entire we application.
4) Is this the best way? Probably not. Does it work? Yes. Does it
work in a restrictive environment (think shared hosting from a service
provider)? Yes.
5) The '@' used above is the "Error Control Operator" and silences any
error output by the function call. This serves two purposes:
a) The client never sees an error message.
b) No text is printed to the HTML client before the header call is
made. If any text (i.e., an error message) is output before the
header call, the header call will fail, and hence the redirect will
fail too.
I would enjoy hearing any constructive criticism of this method.
hope this helps,
Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."
- Martin Luther King Jr. (1929-1968)
Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004
>On Mon, 10 Jan 2005 20:29:18 +0100, "Roy W. Andersen" <ro******@netg oth.org> reverently intoned upon the aether:
Spam Bill Gates wrote: > I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
> my database to the client browser. I was looking into a secure cookie. I only want the page
> accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
> page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
> the cookie regardless of if they are ssl connected or not. Any ideas???
if (!$_SERVER['HTTPS']) {
die();
}
That should work. Haven't tried it though, but the server HTTPS variable
should be set if the connection is SSL, atleast with Apache and mod_ssl.
Can't say about IIS, but if you do a print_r($_SERVE R) on a page through
SSL you'll find out soon enough :)
Roy W. Andersen
This is not necessarily true. Even using Apache and mod_ssl does not
guarantee this. There are many configuration issues involved, and it
may well show up by default, but it does not show up on the servers I
use. Albeit, I outsource hosting so I have limited control and less
liabilities (I am not responsible for making the system work, just my
code).
So if, if( isset( $_SERVER['HTTPS']) ) != true, does not work for you,
then I would simply suggest ensuring https is used via a redirect:
$site = 'www.whereever. net';
$ssl_Secure_SC RIPT_URI = "https://$site" . $_SERVER[PHP_SELF];
if( @strcasecmp($_S ERVER[SCRIPT_URI], $ssl_Secure_SCR IPT_URI) != 0 ){
header("locatio n:$ssl_Secure_S CRIPT_URI"); // Redirect browser
exit;
}
Put the above in an include file and require_once() this include file
in every page requiring encrypted access.
Some things to note:
1) This method does not look at GET data in the request. Hence, if
someone hacks out the 's' in the URI, then they get redirected to the
same page without any GET or POST data from the request. This is
okay, we are in an error state.
2) You might consider logging a protocol failure whenever the redirect
is needed.
3) $site would be best included from another file so that the domain
name for the site is only written down in exactly one location in the
entire we application.
4) Is this the best way? Probably not. Does it work? Yes. Does it
work in a restrictive environment (think shared hosting from a service
provider)? Yes.
5) The '@' used above is the "Error Control Operator" and silences any
error output by the function call. This serves two purposes:
a) The client never sees an error message.
b) No text is printed to the HTML client before the header call is
made. If any text (i.e., an error message) is output before the
header call, the header call will fail, and hence the redirect will
fail too.
I would enjoy hearing any constructive criticism of this method.
hope this helps,
Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."
- Martin Luther King Jr. (1929-1968)
Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004
Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login.
I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.
If it is not no information should be displayed to the user other than a redirect to the login
page. I plan to exclusively use the post method when a user enters data into one of my pages that
will be self referenced to the php page that sent it. The data entered by the user will be pulled
up with the self referenced page and php code will do the appropriate sql insert/update/selects and
display the appropriate results to the user.
If I use your idea will my data thats sent with a post method have no problems if the user uses a
ssl connection to my server?
My limited knowledge at this point makes me think I will not be able to get the data using a post
method to the php code that needs it assuming the user is maintaining a secure connection to my
server if I use your logic.
I hope this makes sence. Is my concern unfounded???
TIA,
Bill Gates
Spam Bill Gates wrote:
<snip> My limited knowledge at this point makes me think I will not be able
to get the data using a post method to the php code that needs it assuming the user is maintaining
a secure connection to my server if I use your logic.
This is not a big deal...
if (empty($_SERVER['HTTPS'])
redirect to https page.
If user posts from/to http page, he'll lose the data as he will be
redirected to https page. Try and see. Perhaps you may need to test
with XAMPP.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Spam Bill Gates wrote:
I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.
As I said, do a print_r($_SERVE R); and see if $_SERVER['HTTPS'] is set
when you're connected through SSL. If it is, then the code I posted will
work on that server. If not, chances are the server sets another
variable which you can use to identify the presence of SSL. Just look
for something named anything with SSL or HTTPS, and just to make sure,
see if the variable is also there when you connect without SSL. If it's
not, then you can use that variable to detect SSL.
So just make a page like this:
<?php
print_r($_SERVE R);
?>
Open it with SSL, open it without SSL, and compare the two outputs.
Roy W. Andersen
--
ra at broadpark dot no / http://roy.netgoth.org/
"Hey! What kind of party is this? There's no booze
and only one hooker!" - Bender, Futurama
On Wed, 12 Jan 2005 22:53:55 +0100, "Roy W. Andersen"
<ro******@netgo th.org> reverently intoned upon the aether: Spam Bill Gates wrote:
I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.
As I said, do a print_r($_SERVE R); and see if $_SERVER['HTTPS'] is set
when you're connected through SSL. If it is, then the code I posted will
work on that server. If not, chances are the server sets another
variable which you can use to identify the presence of SSL. Just look
for something named anything with SSL or HTTPS, and just to make sure,
see if the variable is also there when you connect without SSL. If it's
not, then you can use that variable to detect SSL.
So just make a page like this:
<?php
print_r($_SERVE R);
?>
Open it with SSL, open it without SSL, and compare the two outputs.
I would expand that a little and include a <pre> tag.
<pre>
<?php
print_r($_SERVE R);
?>
</pre>
so that the output is readably formatted.
That said, I have a couple sites using SSL on Apache with mod_ssl and
the way the hosting company set them up there are no variables that
show what type of connection is used. Hence I had to fall back to
checking for https and redirecting if it is missing.
hth,
Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."
- Martin Luther King Jr. (1929-1968)
Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004
On Wed, 12 Jan 2005 20:26:07 GMT, Spam Bill Gates
<sp***********@ microsoft.com> reverently intoned upon the aether:
Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login.
While all your links may be https://... there is no way to guarantee
that a user will no change the address bar to reference the page as
http://...
I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.
If it is not no information should be displayed to the user other than a redirect to the login
page.
See the code snippet below. This will securely redirect to a login
page. My original code snippet simply redirected the browser back the
same page using ssl rather than unencrypted communications.
I plan to exclusively use the post method when a user enters data into one of my pages that
will be self referenced to the php page that sent it. The data entered by the user will be pulled
up with the self referenced page and php code will do the appropriate sql insert/update/selects and
display the appropriate results to the user.
Please make sure you validate all user input or you can end up
creating an easily hacked website with little effort on your part.
You might take a look at:
http://www.owasp.org/documentation/topten.html
as a starting point for securing your web application. All using
HTTPS/SSL does is encrypt the data between the web server and the
client, it in no way provides any security for the site as a whole.
Or visit google and try the following sets of search terms:
SQL Injection
Cross Site Scripting
Web Application Security
A site with more helpful info is:
http://www.securityfocus.com/infocus/foundations
If I use your idea will my data thats sent with a post method have no problems if the user uses a
ssl connection to my server?
Yes, if the user connects using SSL/HTTPS, then the POST data will be
properly transmitted. If they fail to use SSL, then the POST data
will be lost when they are redirected to the login page (see modified
code snippet below).
My limited knowledge at this point makes me think I will not be able to get the data using a post
method to the php code that needs it assuming the user is maintaining a secure connection to my
server if I use your logic.
I hope this makes sence. Is my concern unfounded???
Yes, the POST data will be lost on a redirect. But since the access
to the site was invalid losing the POST data is reasonable (if it is a
possible attack, do not trust the data).
This version of code will redirect a visitor to the login.php page if
they do not connect using SSL.
-------------------------------------------------------------------------------------
$site = 'www.whereever. net';
// Construct the proper https login string for this page.
$ssl_Secure_SCR IPT_URI = "https://$site" . $_SERVER[PHP_SELF];
// Ensure the user accesses this page using the secure URI, otherwise
// redirect them to the login page.
if( @strcasecmp($_S ERVER[SCRIPT_URI], $ssl_Secure_SCR IPT_URI) != 0 ){
header("locatio n:https://$site/login.php"); // Redirect browser
exit;
}
-------------------------------------------------------------------------------------
Beyond this, creating a login system in PHP is easy, creating a secure
login and session validation scheme is a lot more challenging.
hope this helps,
Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."
- Martin Luther King Jr. (1929-1968)
Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004
On 12 Jan 2005 12:36:45 -0800, "R. Rajesh Jeba Anbiah"
<ng**********@r ediffmail.com> reverently intoned upon the aether: Spam Bill Gates wrote:
<snip> My limited knowledge at this point makes me think I will not be able
to get the data using a post method to the php code that needs it assuming the user is maintaining
a secure connection to my server if I use your logic.
This is not a big deal...
if (empty($_SERVER['HTTPS'])
redirect to https page.
Again, this is not necessarily true and whether or not
$_SERVER['HTTPS'] exists is a function of server configuration.
Simply using Apache and mod_ssl does not imply it will be there.
Hence, you can end up coding an infinite loop of redirects to the
secure page. And eventually you will get a rather error message from
Apache or the browser (likely about redirect limits).
enjoy,
Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."
- Martin Luther King Jr. (1929-1968)
Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004
Sean wrote: On 12 Jan 2005 12:36:45 -0800, "R. Rajesh Jeba Anbiah"
<ng**********@r ediffmail.com> reverently intoned upon the aether:
<snip> This is not a big deal...
if (empty($_SERVER['HTTPS'])
redirect to https page.
Again, this is not necessarily true and whether or not
$_SERVER['HTTPS'] exists is a function of server configuration.
Simply using Apache and mod_ssl does not imply it will be there.
Hence, you can end up coding an infinite loop of redirects to the
secure page. And eventually you will get a rather error message from
Apache or the browser (likely about redirect limits).
Interesting contradiction. For me, such situation never happened and
I don't have any idea why HTTPS wouldn't get set even on SSL.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Mudge |
last post by:
Please, someone, tell me why OO in PHP is better than procedural.
|
by: bigoxygen |
last post by:
Hi.
I'm using a 3 tier FrontController Design for my web application right
now.
The problem is that I'm finding to have to duplicate a lot of code for
similar functions; for example, listing users, and listing assignments
use similar type commands. Is there a "better" way I can organize my
code?
|
by: jason |
last post by:
Hello.
Newbie on SQL and suffering through this.
I have two tables created as such:
drop table table1;
go
drop table table2;
go
|
by: Dario de Judicibus |
last post by:
I'm getting crazy. Look at this code:
#include <string.h>
#include <stdio.h>
#include <iostream.h>
using namespace std ;
char ini_code = {0xFF, 0xFE} ;
char line_sep = {0x20, 0x28} ;
|
by: Andrew Thompson |
last post by:
It seems most people get there JS off web sites, which is
entirely logical. But it is also a great pity since most
of that code is of such poor quality.
I was looking through the JS FAQ for any question that
identifies the warning signs to look out for, the things
that most easily and clearly identify the author of code
as something less than a master of the art.
I did not find an FAQ that answered it, but I think the FAQ
| | |
by: ED |
last post by:
I currently have vba code that ranks employees based on their average
job time ordered by their region, zone, and job code. I currently
have vba code that will cycle through a query and ranks each employee
based on their region, zone, job code and avg job time. (See code
below). My problem is that I do not know how to rank the ties. Right
now if two people have the same avg time one will be ranked 3rd and
the other ranked 4th. I would...
|
by: Namratha Shah \(Nasha\) |
last post by:
Hey Guys,
Today we are going to look at Code Access Security.
Code access security is a feature of .NET that manages code depending on its
trust level. If the CLS trusts the code enough to allow it ro run then it
will execute, the code execution depends on the permission provided to the
assembly. If the code is not trusted wnough to run or it attempts to perform
an action which doe not have the required permissions then its execution...
|
by: Joe Fallon |
last post by:
I have some complex logic which is fairly simply to build up into a string.
I needed a way to Eval this string and return a Boolean result.
This code works fine to achieve that goal.
My question is what happens to the dynamically created assembly when the
method is done running? Does GC take care of it?
Or is it stuck in RAM until the ASP.Net process is recycled?
This code executes pretty frequently (maybe 4 times per transaction) and...
|
by: Alan Silver |
last post by:
Hello,
Newbie here, so please forgive what is probably a basic question ...
I see a lot of discussion about "code behind", which if I have
understood correctly, means that the script code goes in a separate file
from the HTML. Apart from the obvious advantage if you have a separate
designer and programmer, are there any other advantages to code behind?
Most of the stuff I've seen so far uses code inside, but that's probably
|
by: tshad |
last post by:
I am just trying to decide whether to split my code and uses code behind. I
did it with one of my pages and found it was quite a bit of trouble.
I know that most people (and books and articles) like it because you can
split the code from the design. That is logical. But if you are the only
one working on the code, it seem a little overkill.
I use Dreamweaver to do my design and find it a bit of a hassle to have
multiple files open...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
