473,241 Members | 1,725 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,241 software developers and data experts.

Problem Getting Script's URL ($_SERVER['PHP_SELF'] not what I expected)

Tom
I have a function that restricts access to a page to logged in users.
When a user who isn't logged in goes to the page, it will dynamically
generate a login form.

I'm trying to use it in conjunction with the free shared SSL
certificate offered by my host. To use SSL, you would change a URL
like this

http://mydomain.com/page.php

to

https://ssl.myhost.com/mydomain.com/page.php

My problem: when my script dynamically generates the login form, it
uses the $_SERVER['PHP_SELF'] value in the action field. But this ends
up being '/page.php' rather than '/mydomain.com/page.php' so my form
gets submitted to

https://ssl.myhost.com/page.php

instead of

https://ssl.myhost.com/mydomain.com/page.php

Simple I thought, I'll just use the SERVER or ENV variable that gives
me the full url. My problem: it doesn't seem to exist!

Anyone have any suggestions? Anyone else confront and solve this
issue?

Thanks,
Tom

Nov 3 '06 #1
5 2810
Tom wrote:
I have a function that restricts access to a page to logged in users.
When a user who isn't logged in goes to the page, it will dynamically
generate a login form.

I'm trying to use it in conjunction with the free shared SSL
certificate offered by my host. To use SSL, you would change a URL
like this

http://mydomain.com/page.php

to

https://ssl.myhost.com/mydomain.com/page.php

My problem: when my script dynamically generates the login form, it
uses the $_SERVER['PHP_SELF'] value in the action field. But this ends
up being '/page.php' rather than '/mydomain.com/page.php' so my form
gets submitted to

https://ssl.myhost.com/page.php

instead of

https://ssl.myhost.com/mydomain.com/page.php

Simple I thought, I'll just use the SERVER or ENV variable that gives
me the full url. My problem: it doesn't seem to exist!

Anyone have any suggestions? Anyone else confront and solve this
issue?

Thanks,
Tom
Hi Tom,

Why not hardcode the url instead of using PHP_SELF?

Also, pay attention to possible sessionloss.
The cookie that contains the PHPSESSID will only be send to the domain that
set it. (Possibly it will also not be send by change of protocol
http->https, I am not sure about that)

So if you create a session in www.myhost.com, it is NOT accessable by
ssl.myhost.com.

Regards,
Erwin Moller
Nov 3 '06 #2
Erwin Moller:
Why not hardcode the url instead of using PHP_SELF?
Well said that man! I second that.

--
Jock

Nov 3 '06 #3
Tom
Thanks for the suggestion. As a matter of fact, after some quiet
reflection away from the computer, that's what I ended up doing and
just added an argument to the function I use that allows the value to
be hardcoded, something like this:

php_guard_page($min_access_level=1, $action_field='dynamic')

The session-loss, as you anticipated, is the bigger issue I now
confront. This is part of a framework I use for multiple projects
which is the reason why I hesitated at something like hard-coding a
url. In any event, the idea is: a visitor can browse around open
non-restricted parts of the site then when they want to look at a
restricted page -- bam! hit them with the login form. In this
particular instance, I wanted to run the login through my host's shared
SSL -- which is on a different domain.

Two questions:

1. Is this necessary? Is using an unencrypted login form a significant
risk? What are the risks.

2. Is this possible? I quickly came to realize that I wasn't
understanding how the shared SSL certificate function. I was thinking
of it simply as kind of an extra layer of security being put on top of
my scripts. Any recommendation on how to best implement secure logins
with PHP using a shared certificate in this manner?

Links to good articles on the subject are welcome.

Thanks,
Tom
Erwin Moller wrote:
Tom wrote:
I have a function that restricts access to a page to logged in users.
When a user who isn't logged in goes to the page, it will dynamically
generate a login form.

I'm trying to use it in conjunction with the free shared SSL
certificate offered by my host. To use SSL, you would change a URL
like this

http://mydomain.com/page.php

to

https://ssl.myhost.com/mydomain.com/page.php

My problem: when my script dynamically generates the login form, it
uses the $_SERVER['PHP_SELF'] value in the action field. But this ends
up being '/page.php' rather than '/mydomain.com/page.php' so my form
gets submitted to

https://ssl.myhost.com/page.php

instead of

https://ssl.myhost.com/mydomain.com/page.php

Simple I thought, I'll just use the SERVER or ENV variable that gives
me the full url. My problem: it doesn't seem to exist!

Anyone have any suggestions? Anyone else confront and solve this
issue?

Thanks,
Tom

Hi Tom,

Why not hardcode the url instead of using PHP_SELF?

Also, pay attention to possible sessionloss.
The cookie that contains the PHPSESSID will only be send to the domain that
set it. (Possibly it will also not be send by change of protocol
http->https, I am not sure about that)

So if you create a session in www.myhost.com, it is NOT accessable by
ssl.myhost.com.

Regards,
Erwin Moller
Nov 3 '06 #4
Tom wrote:
Thanks for the suggestion. As a matter of fact, after some quiet
reflection away from the computer, that's what I ended up doing and
just added an argument to the function I use that allows the value to
be hardcoded, something like this:

php_guard_page($min_access_level=1, $action_field='dynamic')

The session-loss, as you anticipated, is the bigger issue I now
confront. This is part of a framework I use for multiple projects
which is the reason why I hesitated at something like hard-coding a
url. In any event, the idea is: a visitor can browse around open
non-restricted parts of the site then when they want to look at a
restricted page -- bam! hit them with the login form. In this
particular instance, I wanted to run the login through my host's shared
SSL -- which is on a different domain.

Two questions:
Hi
1. Is this necessary? Is using an unencrypted login form a significant
risk? What are the risks.
The biggest risk of using unencrypted login is simple: eavesdropping.
If somebody taps into the networktraffic (something that can happen anywhere
between the two IP-adresses), he can see the username password in the
IP-packages. Simple as that, just in plaintext.

How big this risk is, is completely beyound my knowledge.
>
2. Is this possible? I quickly came to realize that I wasn't
understanding how the shared SSL certificate function. I was thinking
of it simply as kind of an extra layer of security being put on top of
my scripts. Any recommendation on how to best implement secure logins
with PHP using a shared certificate in this manner?
No, sorry, not my area of expertice. :-/
>
Links to good articles on the subject are welcome.
Tom, I think you might get luckier with help on using and implementing HTTPS
in an Apache newsgroup.
I am sure a few in here know how to do it, but it is a little off topic in
this ng. SO if you need help quickly, go there.

If you hit a roof with sessionloss between your servers, come back here.
With that we can possibly help. :-)

Regards,
Erwin Moller
>
Thanks,
Tom

Nov 7 '06 #5
Tom wrote:
Erwin Moller wrote:
>>Tom wrote:

>>>I have a function that restricts access to a page to logged in users.
When a user who isn't logged in goes to the page, it will dynamically
generate a login form.

I'm trying to use it in conjunction with the free shared SSL
certificate offered by my host. To use SSL, you would change a URL
like this

http://mydomain.com/page.php

to

https://ssl.myhost.com/mydomain.com/page.php

My problem: when my script dynamically generates the login form, it
uses the $_SERVER['PHP_SELF'] value in the action field. But this ends
up being '/page.php' rather than '/mydomain.com/page.php' so my form
gets submitted to

https://ssl.myhost.com/page.php

instead of

https://ssl.myhost.com/mydomain.com/page.php

Simple I thought, I'll just use the SERVER or ENV variable that gives
me the full url. My problem: it doesn't seem to exist!

Anyone have any suggestions? Anyone else confront and solve this
issue?

Thanks,
Tom

Hi Tom,

Why not hardcode the url instead of using PHP_SELF?

Also, pay attention to possible sessionloss.
The cookie that contains the PHPSESSID will only be send to the domain that
set it. (Possibly it will also not be send by change of protocol
http->https, I am not sure about that)

So if you create a session in www.myhost.com, it is NOT accessable by
ssl.myhost.com.

Regards,
Erwin Moller


Thanks for the suggestion. As a matter of fact, after some quiet
reflection away from the computer, that's what I ended up doing and
just added an argument to the function I use that allows the value to
be hardcoded, something like this:

php_guard_page($min_access_level=1, $action_field='dynamic')

The session-loss, as you anticipated, is the bigger issue I now
confront. This is part of a framework I use for multiple projects
which is the reason why I hesitated at something like hard-coding a
url. In any event, the idea is: a visitor can browse around open
non-restricted parts of the site then when they want to look at a
restricted page -- bam! hit them with the login form. In this
particular instance, I wanted to run the login through my host's shared
SSL -- which is on a different domain.

Two questions:

1. Is this necessary? Is using an unencrypted login form a significant
risk? What are the risks.

2. Is this possible? I quickly came to realize that I wasn't
understanding how the shared SSL certificate function. I was thinking
of it simply as kind of an extra layer of security being put on top of
my scripts. Any recommendation on how to best implement secure logins
with PHP using a shared certificate in this manner?

Links to good articles on the subject are welcome.

Thanks,
Tom

(Top posting fixed)

Tom,

It's not *necessary* to use an SSL certificate, but if the login gives
access to sensitive data (i.e. credit card numbers, software available
for download by subscription, etc.), it's a good idea.

There is a slight chance that someone can intercept the unencrypted
login and get into your site. This is most likely to happen at the
first or last step in the path from the client to your site, but can
happen anywhere along the path. Is it a big problem? Probably not.
But it's good to be safe.

From the PHP end you don't have to do anything. The browser and Apache
take care of everything for you. The browser gets the info from the
user and encrypts it. This is sent down the link and received by
Apache, which then decrypts it. When it gets to your page, the data is
ready for use. In fact, it looks exactly the same whether it was sent
over an encrypted link or a non-encrypted link.

So all you need to do is have the users use

https://www.example.com/login.php

instead of http://... and it will be encrypted.

This should work on a shared certificate, also, although some browsers
may give a warning about the certificate belonging to another domain.

P.S. Please don't top post. Thanks.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Nov 7 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
by: Salve Håkedal | last post by:
When I select Februar here and sends, selection returns to Januar. I know why: no option is marked selected... But can php get this right in an easy way? <html><head><title>Part of a bigger...
13
by: deko | last post by:
I'm trying to identify which named anchor is currently being viewed on a page. Although the address bar of my browser shows #whatever appended to the end of the url, I can't seem to find it in a...
3
by: Joshua Beall | last post by:
Hi All, What is the difference between $_SERVER and $_SERVER, and which is better to use? According to the CGI 1.1 spec (http://hoohoo.ncsa.uiuc.edu/cgi/env.html), SCRIPT_NAME is not...
10
by: tHatDudeUK | last post by:
My form action code to submit values to itself have stopped working using the code form action = <?=$_SERVER?> This code used to work My web host recently told me they enabled phpsuexec...
1
by: Mikey P | last post by:
hi all i'm having issues with this returned function. I can get it to delete a database but i really want it to grab the stateselect extention and grab all the cities related to that state. I...
10
by: Jim Carlock | last post by:
Looking for a way to extract the path from the pfqpn (partially full qualified path name). $sThisServer = $_SERVER; // returns either aquaticcreationsnc.com or www.aquaticcreationsnc.com ...
4
by: Jim Carlock | last post by:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44? I'm seeing that $_SERVER doesn't return the $_SERVER appended to it. I was just messing with a few things and noticed that...
4
by: vinnie | last post by:
can someone explain me with an easy example what the function for? I've read on the php.net, but didn;t really catch the point. I'm a newbie. Thanks
21
by: paitoon | last post by:
Hello there, The fuction $_SERVER; is nice to use but it so complicate for me... In my site to try to use this to add the information to database..but it work not correct because it will...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.