SSL php code

Spam Bill Gates wrote:

I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
my database to the client browser. I was looking into a secure cookie. I only want the page
accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
the cookie regardless of if they are ssl connected or not. Any ideas???

if (!$_SERVER['HTTPS']) {
die();
}

That should work. Haven't tried it though, but the server HTTPS variable
should be set if the connection is SSL, atleast with Apache and mod_ssl.
Can't say about IIS, but if you do a print_r($_SERVER) on a page through
SSL you'll find out soon enough :)
Roy W. Andersen
--
ra at broadpark dot no / http://roy.netgoth.org/

"Hey! What kind of party is this? There's no booze
and only one hooker!" - Bender, Futurama

On Mon, 10 Jan 2005 20:29:18 +0100, "Roy W. Andersen"
<ro******@netgoth.org> reverently intoned upon the aether:

Spam Bill Gates wrote:

I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
my database to the client browser. I was looking into a secure cookie. I only want the page
accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
the cookie regardless of if they are ssl connected or not. Any ideas???

if (!$_SERVER['HTTPS']) {
die();
}

That should work. Haven't tried it though, but the server HTTPS variable
should be set if the connection is SSL, atleast with Apache and mod_ssl.
Can't say about IIS, but if you do a print_r($_SERVER) on a page through
SSL you'll find out soon enough :)
Roy W. Andersen

This is not necessarily true. Even using Apache and mod_ssl does not
guarantee this. There are many configuration issues involved, and it
may well show up by default, but it does not show up on the servers I
use. Albeit, I outsource hosting so I have limited control and less
liabilities (I am not responsible for making the system work, just my
code).

So if, if( isset( $_SERVER['HTTPS']) ) != true, does not work for you,
then I would simply suggest ensuring https is used via a redirect:

$site = 'www.whereever.net';

$ssl_Secure_SCRIPT_URI = "https://$site" . $_SERVER[PHP_SELF];

if( @strcasecmp($_SERVER[SCRIPT_URI], $ssl_Secure_SCRIPT_URI) != 0 ){
header("location:$ssl_Secure_SCRIPT_URI"); // Redirect browser
exit;
}

Put the above in an include file and require_once() this include file
in every page requiring encrypted access.

Some things to note:

1) This method does not look at GET data in the request. Hence, if
someone hacks out the 's' in the URI, then they get redirected to the
same page without any GET or POST data from the request. This is
okay, we are in an error state.

2) You might consider logging a protocol failure whenever the redirect
is needed.

3) $site would be best included from another file so that the domain
name for the site is only written down in exactly one location in the
entire we application.

4) Is this the best way? Probably not. Does it work? Yes. Does it
work in a restrictive environment (think shared hosting from a service
provider)? Yes.

5) The '@' used above is the "Error Control Operator" and silences any
error output by the function call. This serves two purposes:

a) The client never sees an error message.

b) No text is printed to the HTML client before the header call is
made. If any text (i.e., an error message) is output before the
header call, the header call will fail, and hence the redirect will
fail too.

I would enjoy hearing any constructive criticism of this method.

hope this helps,

Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004

>On Mon, 10 Jan 2005 20:29:18 +0100, "Roy W. Andersen"

<ro******@netgoth.org> reverently intoned upon the aether:

Spam Bill Gates wrote:

> I am using linux, php and trying to do some ssl code. I want to send some identifier that connects
> my database to the client browser. I was looking into a secure cookie. I only want the page
> accessed over a SSL connection. Whats the best way to insure the clinet browser can only see my
> page if they are ssl connected to it? In adding a 1 to the end of my send cookie code, it sends
> the cookie regardless of if they are ssl connected or not. Any ideas???

if (!$_SERVER['HTTPS']) {
die();
}

That should work. Haven't tried it though, but the server HTTPS variable
should be set if the connection is SSL, atleast with Apache and mod_ssl.
Can't say about IIS, but if you do a print_r($_SERVER) on a page through
SSL you'll find out soon enough :)
Roy W. Andersen

This is not necessarily true. Even using Apache and mod_ssl does not
guarantee this. There are many configuration issues involved, and it
may well show up by default, but it does not show up on the servers I
use. Albeit, I outsource hosting so I have limited control and less
liabilities (I am not responsible for making the system work, just my
code).

So if, if( isset( $_SERVER['HTTPS']) ) != true, does not work for you,
then I would simply suggest ensuring https is used via a redirect:

$site = 'www.whereever.net';

$ssl_Secure_SCRIPT_URI = "https://$site" . $_SERVER[PHP_SELF];

if( @strcasecmp($_SERVER[SCRIPT_URI], $ssl_Secure_SCRIPT_URI) != 0 ){
header("location:$ssl_Secure_SCRIPT_URI"); // Redirect browser
exit;
}

Put the above in an include file and require_once() this include file
in every page requiring encrypted access.

Some things to note:

1) This method does not look at GET data in the request. Hence, if
someone hacks out the 's' in the URI, then they get redirected to the
same page without any GET or POST data from the request. This is
okay, we are in an error state.

2) You might consider logging a protocol failure whenever the redirect
is needed.

3) $site would be best included from another file so that the domain
name for the site is only written down in exactly one location in the
entire we application.

4) Is this the best way? Probably not. Does it work? Yes. Does it
work in a restrictive environment (think shared hosting from a service
provider)? Yes.

5) The '@' used above is the "Error Control Operator" and silences any
error output by the function call. This serves two purposes:

a) The client never sees an error message.

b) No text is printed to the HTML client before the header call is
made. If any text (i.e., an error message) is output before the
header call, the header call will fail, and hence the redirect will
fail too.

I would enjoy hearing any constructive criticism of this method.

hope this helps,

Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004

Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login.

I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.

If it is not no information should be displayed to the user other than a redirect to the login
page. I plan to exclusively use the post method when a user enters data into one of my pages that
will be self referenced to the php page that sent it. The data entered by the user will be pulled
up with the self referenced page and php code will do the appropriate sql insert/update/selects and
display the appropriate results to the user.

If I use your idea will my data thats sent with a post method have no problems if the user uses a
ssl connection to my server?

My limited knowledge at this point makes me think I will not be able to get the data using a post
method to the php code that needs it assuming the user is maintaining a secure connection to my
server if I use your logic.

I hope this makes sence. Is my concern unfounded???

TIA,
Bill Gates

Spam Bill Gates wrote:
<snip>

My limited knowledge at this point makes me think I will not be able to get the data using a post method to the php code that needs it assuming the user is maintaining a secure connection to my server if I use your logic.

This is not a big deal...

if (empty($_SERVER['HTTPS'])
redirect to https page.

If user posts from/to http page, he'll lose the data as he will be
redirected to https page. Try and see. Perhaps you may need to test
with XAMPP.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Spam Bill Gates wrote:

I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.

As I said, do a print_r($_SERVER); and see if $_SERVER['HTTPS'] is set
when you're connected through SSL. If it is, then the code I posted will
work on that server. If not, chances are the server sets another
variable which you can use to identify the presence of SSL. Just look
for something named anything with SSL or HTTPS, and just to make sure,
see if the variable is also there when you connect without SSL. If it's
not, then you can use that variable to detect SSL.

So just make a page like this:

<?php
print_r($_SERVER);
?>

Open it with SSL, open it without SSL, and compare the two outputs.
Roy W. Andersen
--
ra at broadpark dot no / http://roy.netgoth.org/

"Hey! What kind of party is this? There's no booze
and only one hooker!" - Bender, Futurama

On Wed, 12 Jan 2005 22:53:55 +0100, "Roy W. Andersen"
<ro******@netgoth.org> reverently intoned upon the aether:

Spam Bill Gates wrote:

I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.

As I said, do a print_r($_SERVER); and see if $_SERVER['HTTPS'] is set
when you're connected through SSL. If it is, then the code I posted will
work on that server. If not, chances are the server sets another
variable which you can use to identify the presence of SSL. Just look
for something named anything with SSL or HTTPS, and just to make sure,
see if the variable is also there when you connect without SSL. If it's
not, then you can use that variable to detect SSL.

So just make a page like this:

<?php
print_r($_SERVER);
?>

Open it with SSL, open it without SSL, and compare the two outputs.

I would expand that a little and include a <pre> tag.

<pre>
<?php
print_r($_SERVER);
?>
</pre>

so that the output is readably formatted.

That said, I have a couple sites using SSL on Apache with mod_ssl and
the way the hosting company set them up there are no variables that
show what type of connection is used. Hence I had to fall back to
checking for https and redirecting if it is missing.

hth,

Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004

On Wed, 12 Jan 2005 20:26:07 GMT, Spam Bill Gates
<sp***********@microsoft.com> reverently intoned upon the aether:

Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login.
While all your links may be https://... there is no way to guarantee
that a user will no change the address bar to reference the page as
http://...

I want some standardized php code on every page to verify with every hit that it is being accessed
via ssl.

If it is not no information should be displayed to the user other than a redirect to the login
page.
See the code snippet below. This will securely redirect to a login
page. My original code snippet simply redirected the browser back the
same page using ssl rather than unencrypted communications.
I plan to exclusively use the post method when a user enters data into one of my pages that
will be self referenced to the php page that sent it. The data entered by the user will be pulled
up with the self referenced page and php code will do the appropriate sql insert/update/selects and
display the appropriate results to the user.
Please make sure you validate all user input or you can end up
creating an easily hacked website with little effort on your part.
You might take a look at:

http://www.owasp.org/documentation/topten.html

as a starting point for securing your web application. All using
HTTPS/SSL does is encrypt the data between the web server and the
client, it in no way provides any security for the site as a whole.

Or visit google and try the following sets of search terms:

SQL Injection
Cross Site Scripting
Web Application Security

A site with more helpful info is:

http://www.securityfocus.com/infocus/foundations

If I use your idea will my data thats sent with a post method have no problems if the user uses a
ssl connection to my server?
Yes, if the user connects using SSL/HTTPS, then the POST data will be
properly transmitted. If they fail to use SSL, then the POST data
will be lost when they are redirected to the login page (see modified
code snippet below).

My limited knowledge at this point makes me think I will not be able to get the data using a post
method to the php code that needs it assuming the user is maintaining a secure connection to my
server if I use your logic.

I hope this makes sence. Is my concern unfounded???

Yes, the POST data will be lost on a redirect. But since the access
to the site was invalid losing the POST data is reasonable (if it is a
possible attack, do not trust the data).
This version of code will redirect a visitor to the login.php page if
they do not connect using SSL.

-------------------------------------------------------------------------------------

$site = 'www.whereever.net';

// Construct the proper https login string for this page.
$ssl_Secure_SCRIPT_URI = "https://$site" . $_SERVER[PHP_SELF];

// Ensure the user accesses this page using the secure URI, otherwise
// redirect them to the login page.
if( @strcasecmp($_SERVER[SCRIPT_URI], $ssl_Secure_SCRIPT_URI) != 0 ){
header("location:https://$site/login.php"); // Redirect browser
exit;
}

-------------------------------------------------------------------------------------

Beyond this, creating a login system in PHP is easy, creating a secure
login and session validation scheme is a lot more challenging.

hope this helps,

Sean


"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004

On 12 Jan 2005 12:36:45 -0800, "R. Rajesh Jeba Anbiah"
<ng**********@rediffmail.com> reverently intoned upon the aether:

Spam Bill Gates wrote:
<snip>

My limited knowledge at this point makes me think I will not be able

to get the data using a post

method to the php code that needs it assuming the user is maintaining

a secure connection to my

server if I use your logic.

This is not a big deal...

if (empty($_SERVER['HTTPS'])
redirect to https page.

Again, this is not necessarily true and whether or not
$_SERVER['HTTPS'] exists is a function of server configuration.
Simply using Apache and mod_ssl does not imply it will be there.
Hence, you can end up coding an infinite loop of redirects to the
secure page. And eventually you will get a rather error message from
Apache or the browser (likely about redirect limits).

enjoy,

Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004

Sean wrote:

On 12 Jan 2005 12:36:45 -0800, "R. Rajesh Jeba Anbiah"
<ng**********@rediffmail.com> reverently intoned upon the aether:

<snip>

This is not a big deal...

if (empty($_SERVER['HTTPS'])
redirect to https page.

Again, this is not necessarily true and whether or not
$_SERVER['HTTPS'] exists is a function of server configuration.
Simply using Apache and mod_ssl does not imply it will be there.
Hence, you can end up coding an infinite loop of redirects to the
secure page. And eventually you will get a rather error message from
Apache or the browser (likely about redirect limits).

Interesting contradiction. For me, such situation never happened and
I don't have any idea why HTTPS wouldn't get set even on SSL.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

On 13 Jan 2005 09:27:45 -0800, "R. Rajesh Jeba Anbiah"
<ng**********@rediffmail.com> reverently intoned upon the aether:

Sean wrote:

On 12 Jan 2005 12:36:45 -0800, "R. Rajesh Jeba Anbiah"
<ng**********@rediffmail.com> reverently intoned upon the aether:

<snip>

This is not a big deal...

if (empty($_SERVER['HTTPS'])
redirect to https page.

Again, this is not necessarily true and whether or not
$_SERVER['HTTPS'] exists is a function of server configuration.
Simply using Apache and mod_ssl does not imply it will be there.
Hence, you can end up coding an infinite loop of redirects to the
secure page. And eventually you will get a rather error message from
Apache or the browser (likely about redirect limits).

Interesting contradiction. For me, such situation never happened and
I don't have any idea why HTTPS wouldn't get set even on SSL.

It may work that way by default, but the hosting company I use is
configured such that it does not show up. Sadly their configuration
contains none of the SSL-HTTPS data. Some of which I would like to
use for session authentication. On the bright side, I can get a
server, domain, name, and secure certificate with decent online
storage and bandwidth for less than $100 US per year so I can survive
a little inconvenience.

enjoy,

Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004