?
Solved

Make a few pages secure

Posted on 2011-03-17
15
Medium Priority
?
339 Views
Last Modified: 2013-11-05
Hi,

I've installed SSL in the server for a website. I want this only for a few pages where we collect the credit card information and processing pages. Website is written in php.

Any idea how this is usually done?
0
Comment
Question by:CWS (haripriya)
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +2
15 Comments
 
LVL 4

Expert Comment

by:max-hb
ID: 35155221
You could redirect all http access to your pages to the corresponding https connections.

Add this at the top of your https protected script:
<?php
if(empty($_SERVER["HTTPS"])) {
    $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    header("Location: $newurl");
    exit();
}
?> 

Open in new window


CU
 maxhb
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35155292
I'm not clear how far you have taken this process but...

1. Consider using a payment gateway instead, PayPal, WorldPay, Protx (SagePay), etc. Paypal is free. All of them remove the burden of PCI compliance which you will face if you do your own handling and PCI complaince is a PITA. http://www.pcicomplianceguide.org/pcifaqs.php

2. If you are not using a gateway then you will need an SSL Certificate from a signing authority (GeoTrust, VeriSign, etc) and an extra IP address on the webserver for SSL handing. You then need to add a new vitrualhost with the IP and port 443 enabled and in the virtualhost you then link the SSL certificate - see this example http://www.digicert.com/ssl-certificate-installation-apache.htm

3. You will need to sign up to a card processing service and they will provide you with APIs to access the service with the card details you have taken. The details will depend on the payment service.
0
 
LVL 16

Author Comment

by:CWS (haripriya)
ID: 35155484
@max-hb,
Thanks for the code. I will check and get back to this.

@bportlock,
Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 3

Expert Comment

by:grouper15
ID: 35155572
hi cyberwebservice

you can call the starting page with https://servername/FirstCreditCardpage.php and when you leave on the last credit card page from the flow of ssl pages you can explicitly call http://servername/Someotherpage.php

You dont need to explicitly mention the protocal in between credit card pages
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35156120
"Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc."

OK - just put the whole website to run under https: - create an .htaccess file and put this in to it

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open in new window


For sensitive data, consider storing it in encrypted form, it is not that hard. I have posted an encryption class to encrypt/decyrpt in this question

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_26868583.html#35068383
0
 
LVL 4

Expert Comment

by:max-hb
ID: 35156274
@bportlock: Is it really usefull and/or neccessary to serve all pages via https? IMHO it's much better to limit https to those pages where it is really needed. As far as I can see this is done e.g. by amazon.com and other big players.
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35156436
"Is it really usefull and/or neccessary to serve all pages via https?"

Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
0
 
LVL 4

Expert Comment

by:max-hb
ID: 35156563
Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
The point is:
a) SSL protected connections will consume more CPU power
b) SSL protected pages are not cachable by your browser

All in all it's a matter of performance. As I already mentioned look at the big global players like amazon or ebay - they offer https only for critical pages.
0
 
LVL 6

Expert Comment

by:My name is Mud
ID: 35157655
>>OK - just put the whole website to run under https: - create an .htaccess file and put this in to it

Less secured... create a file with the alias of the directory You wish to Secure only, or the whole site!!!

in /etc/httpd/conf.d

Like for example squirrelmail

Create a file like... squirrelmail.conf

#
# SquirrelMail is a webmail package written in PHP.
#

Alias /webmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  RewriteEngine  on
  RewriteCond    %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

<Directory "/usr/share/squirrelmail/plugins/squirrelspell/modules">
  Deny from all
</Directory>
0
 
LVL 16

Author Comment

by:CWS (haripriya)
ID: 35164236
@wb, I didn't understand. Can you explain where to start.

Basically, what I want is to make only 5 pages secure out of 100 page approx.
I don't want to edit all the pages. Give me a solution that is not time consuming.

Thanks.
0
 
LVL 16

Author Comment

by:CWS (haripriya)
ID: 35182426
Hi all,

This is the code I have now.

Here the first two rules work correctly. But once the https is called, it continues for all the other linked pages. For example, if I click 'About Us' page from the 'myaccount.php' page, the https is continued.

The last rule should redirect all https to http for all pages other than 'login.php' and 'myaccount.php'. I am not good in writing this rules.

So, any help is appreciated.
RewriteRule login.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteRule myaccount.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteCond %{REQUEST_URI} !^(login.php|myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]

Open in new window

0
 
LVL 4

Expert Comment

by:max-hb
ID: 35182824
Do you use some kind of CMS or any other system that creates links on the fly? If you have static links pointing to some http-Address they should not be changed by the https-protocoll.
0
 
LVL 16

Author Comment

by:CWS (haripriya)
ID: 35185975
No, links are not created on the fly. I want the last rule to work correctly.
0
 
LVL 16

Accepted Solution

by:
CWS (haripriya) earned 0 total points
ID: 35186119
Everything works fine after adding the last rule in the .htaccess file of the virtual host for ssl.
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} !^(/login.php|/myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]

Open in new window

0
 
LVL 16

Author Closing Comment

by:CWS (haripriya)
ID: 35221355
I got answer from Google search!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logiā€¦
JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question