Solved

Make a few pages secure

Posted on 2011-03-17
15
328 Views
Last Modified: 2013-11-05
Hi,

I've installed SSL in the server for a website. I want this only for a few pages where we collect the credit card information and processing pages. Website is written in php.

Any idea how this is usually done?
0
Comment
Question by:CWS (haripriya)
  • 6
  • 4
  • 3
  • +2
15 Comments
 
LVL 4

Expert Comment

by:max-hb
Comment Utility
You could redirect all http access to your pages to the corresponding https connections.

Add this at the top of your https protected script:
<?php
if(empty($_SERVER["HTTPS"])) {
    $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    header("Location: $newurl");
    exit();
}
?> 

Open in new window


CU
 maxhb
0
 
LVL 34

Expert Comment

by:Beverley Portlock
Comment Utility
I'm not clear how far you have taken this process but...

1. Consider using a payment gateway instead, PayPal, WorldPay, Protx (SagePay), etc. Paypal is free. All of them remove the burden of PCI compliance which you will face if you do your own handling and PCI complaince is a PITA. http://www.pcicomplianceguide.org/pcifaqs.php

2. If you are not using a gateway then you will need an SSL Certificate from a signing authority (GeoTrust, VeriSign, etc) and an extra IP address on the webserver for SSL handing. You then need to add a new vitrualhost with the IP and port 443 enabled and in the virtualhost you then link the SSL certificate - see this example http://www.digicert.com/ssl-certificate-installation-apache.htm

3. You will need to sign up to a card processing service and they will provide you with APIs to access the service with the card details you have taken. The details will depend on the payment service.
0
 
LVL 16

Author Comment

by:CWS (haripriya)
Comment Utility
@max-hb,
Thanks for the code. I will check and get back to this.

@bportlock,
Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc.
0
 
LVL 3

Expert Comment

by:grouper15
Comment Utility
hi cyberwebservice

you can call the starting page with https://servername/FirstCreditCardpage.php and when you leave on the last credit card page from the flow of ssl pages you can explicitly call http://servername/Someotherpage.php

You dont need to explicitly mention the protocal in between credit card pages
0
 
LVL 34

Expert Comment

by:Beverley Portlock
Comment Utility
"Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc."

OK - just put the whole website to run under https: - create an .htaccess file and put this in to it

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open in new window


For sensitive data, consider storing it in encrypted form, it is not that hard. I have posted an encryption class to encrypt/decyrpt in this question

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_26868583.html#35068383
0
 
LVL 4

Expert Comment

by:max-hb
Comment Utility
@bportlock: Is it really usefull and/or neccessary to serve all pages via https? IMHO it's much better to limit https to those pages where it is really needed. As far as I can see this is done e.g. by amazon.com and other big players.
0
 
LVL 34

Expert Comment

by:Beverley Portlock
Comment Utility
"Is it really usefull and/or neccessary to serve all pages via https?"

Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 4

Expert Comment

by:max-hb
Comment Utility
Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
The point is:
a) SSL protected connections will consume more CPU power
b) SSL protected pages are not cachable by your browser

All in all it's a matter of performance. As I already mentioned look at the big global players like amazon or ebay - they offer https only for critical pages.
0
 
LVL 6

Expert Comment

by:My name is Mud
Comment Utility
>>OK - just put the whole website to run under https: - create an .htaccess file and put this in to it

Less secured... create a file with the alias of the directory You wish to Secure only, or the whole site!!!

in /etc/httpd/conf.d

Like for example squirrelmail

Create a file like... squirrelmail.conf

#
# SquirrelMail is a webmail package written in PHP.
#

Alias /webmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  RewriteEngine  on
  RewriteCond    %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

<Directory "/usr/share/squirrelmail/plugins/squirrelspell/modules">
  Deny from all
</Directory>
0
 
LVL 16

Author Comment

by:CWS (haripriya)
Comment Utility
@wb, I didn't understand. Can you explain where to start.

Basically, what I want is to make only 5 pages secure out of 100 page approx.
I don't want to edit all the pages. Give me a solution that is not time consuming.

Thanks.
0
 
LVL 16

Author Comment

by:CWS (haripriya)
Comment Utility
Hi all,

This is the code I have now.

Here the first two rules work correctly. But once the https is called, it continues for all the other linked pages. For example, if I click 'About Us' page from the 'myaccount.php' page, the https is continued.

The last rule should redirect all https to http for all pages other than 'login.php' and 'myaccount.php'. I am not good in writing this rules.

So, any help is appreciated.
RewriteRule login.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteRule myaccount.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteCond %{REQUEST_URI} !^(login.php|myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]

Open in new window

0
 
LVL 4

Expert Comment

by:max-hb
Comment Utility
Do you use some kind of CMS or any other system that creates links on the fly? If you have static links pointing to some http-Address they should not be changed by the https-protocoll.
0
 
LVL 16

Author Comment

by:CWS (haripriya)
Comment Utility
No, links are not created on the fly. I want the last rule to work correctly.
0
 
LVL 16

Accepted Solution

by:
CWS (haripriya) earned 0 total points
Comment Utility
Everything works fine after adding the last rule in the .htaccess file of the virtual host for ssl.
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} !^(/login.php|/myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]

Open in new window

0
 
LVL 16

Author Closing Comment

by:CWS (haripriya)
Comment Utility
I got answer from Google search!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Mail Not Sent 6 41
Storing files securely - database or filesystem 3 85
Link SQL table to Webpage 9 35
session dropped in IE 10 18
This article discusses four methods for overlaying images in a container on a web page
This article discusses how to create an extensible mechanism for linked drop downs.
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now