471,596 Members | 860 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,596 software developers and data experts.

Help PHP application over SSL

Greetings,

I am building a database-driven PHP application.
Part of that app needs to run over SSL for gathering private data.

Now, when someone purchases a certificate, the domain name is
hard-coded on the certificate, right?

If so, how can I run part of the application in regular mode (http) and
the rest in secure mode (https)?

The domain name on the certificate will be something like -
www.myDomain.com

But some of the pages will be secure and some not.

Is it possible to have something like this?
Will the certificate work ok?

And should I refer to the secure pages using absolute referencing
(https://www.myDomain.com/someDirectory/securePage.php)

Thanks for any help.

Jul 17 '05 #1
2 1587
>I am building a database-driven PHP application.
Part of that app needs to run over SSL for gathering private data.

Now, when someone purchases a certificate, the domain name is
hard-coded on the certificate, right?
Correct. A typical secure site really has *TWO* virtual sites, one
secure, one not secure (with the same domain name, e.g.
https://my.domain.com and http://my.domain.com). The not secure
part has the product descriptions and such in it (typically). The
secure part has the order form, etc. on it. Depending on how much
personal data the site handles, you may want most of it secure.
Your typical secure site has AT MINIMUM an un-secure entry page
which redirects or links to the secure entry page. Nobody is going
to remember to type the "https:" part in. So that unsecure part
brags about the security and links to the secure page, or just
redirects. IF THE USER HAS TO LOG IN, MAKE THE LOG IN PAGE SECURE,
not just the response after they log in. That way, the login info
is encrypted.
If so, how can I run part of the application in regular mode (http) and
the rest in secure mode (https)?
Make sure you do NOT use insecure images on secure pages. Browsers
get upset about that. Otherwise, you treat it as two virtual sites
with different domains, cross-referencing each other. Limit links
to insecure pages from the secure pages, or label them with hints
like "exit secure site". Whether you use the secure or insecure
site depends on the http: vs. https: part.
The domain name on the certificate will be something like -
www.myDomain.com

But some of the pages will be secure and some not.
Fine. You can have a secure and insecure site with the same domain
name. They may or may not have the same document root. Treat them
the same way you would two different domains on separate virtual sites.
Is it possible to have something like this?
Will the certificate work ok?
Yes.
And should I refer to the secure pages using absolute referencing
(https://www.myDomain.com/someDirectory/securePage.php)


You can refer to secure pages from other secure pages of the same
domain with relative referencing. From an insecure page, it's like
you are referencing a whole different site (which it is), so you
need the absolute referencing.

Gordon L. Burditt
Jul 17 '05 #2
Harold Crump <or**********@yahoo.com> wrote:
[snip]
But some of the pages will be secure and some not.

Is it possible to have something like this?
Will the certificate work ok?
PHP doesn't know anything about the transport other than what the httpd
tells PHP about it. So it makes no difference at all.
And should I refer to the secure pages using absolute referencing
(https://www.myDomain.com/someDirectory/securePage.php)


With a little rewriteengine magic it's possible to create a relative URL
for the client which will be redirected to either http or https (it's an
example in apaches rewrite documenation).
Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

12 posts views Thread by D. Shane Fowlkes | last post: by
1 post views Thread by Alain \Mbuna\ | last post: by
8 posts views Thread by pamelafluente | last post: by
15 posts views Thread by Jay | last post: by
4 posts views Thread by Coleen | last post: by
reply views Thread by XIAOLAOHU | last post: by
reply views Thread by Anwar ali | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.