CWS (haripriya)
asked on
Make a few pages secure
Hi,
I've installed SSL in the server for a website. I want this only for a few pages where we collect the credit card information and processing pages. Website is written in php.
Any idea how this is usually done?
I've installed SSL in the server for a website. I want this only for a few pages where we collect the credit card information and processing pages. Website is written in php.
Any idea how this is usually done?
I'm not clear how far you have taken this process but...
1. Consider using a payment gateway instead, PayPal, WorldPay, Protx (SagePay), etc. Paypal is free. All of them remove the burden of PCI compliance which you will face if you do your own handling and PCI complaince is a PITA. http://www.pcicomplianceguide.org/pcifaqs.php
2. If you are not using a gateway then you will need an SSL Certificate from a signing authority (GeoTrust, VeriSign, etc) and an extra IP address on the webserver for SSL handing. You then need to add a new vitrualhost with the IP and port 443 enabled and in the virtualhost you then link the SSL certificate - see this example http://www.digicert.com/ssl-certificate-installation-apache.htm
3. You will need to sign up to a card processing service and they will provide you with APIs to access the service with the card details you have taken. The details will depend on the payment service.
1. Consider using a payment gateway instead, PayPal, WorldPay, Protx (SagePay), etc. Paypal is free. All of them remove the burden of PCI compliance which you will face if you do your own handling and PCI complaince is a PITA. http://www.pcicomplianceguide.org/pcifaqs.php
2. If you are not using a gateway then you will need an SSL Certificate from a signing authority (GeoTrust, VeriSign, etc) and an extra IP address on the webserver for SSL handing. You then need to add a new vitrualhost with the IP and port 443 enabled and in the virtualhost you then link the SSL certificate - see this example http://www.digicert.com/ssl-certificate-installation-apache.htm
3. You will need to sign up to a card processing service and they will provide you with APIs to access the service with the card details you have taken. The details will depend on the payment service.
ASKER
@max-hb,
Thanks for the code. I will check and get back to this.
@bportlock,
Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc.
Thanks for the code. I will check and get back to this.
@bportlock,
Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc.
hi cyberwebservice
you can call the starting page with https://servername/FirstCreditCardpage.php and when you leave on the last credit card page from the flow of ssl pages you can explicitly call http://servername/Someotherpage.php
You dont need to explicitly mention the protocal in between credit card pages
you can call the starting page with https://servername/FirstCreditCardpage.php and when you leave on the last credit card page from the flow of ssl pages you can explicitly call http://servername/Someotherpage.php
You dont need to explicitly mention the protocal in between credit card pages
"Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc."
OK - just put the whole website to run under https: - create an .htaccess file and put this in to it
For sensitive data, consider storing it in encrypted form, it is not that hard. I have posted an encryption class to encrypt/decyrpt in this question
https://www.experts-exchange.com/questions/26868583/best-place-to-store-session-on-shared-hosting.html#35068383
OK - just put the whole website to run under https: - create an .htaccess file and put this in to it
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
For sensitive data, consider storing it in encrypted form, it is not that hard. I have posted an encryption class to encrypt/decyrpt in this question
https://www.experts-exchange.com/questions/26868583/best-place-to-store-session-on-shared-hosting.html#35068383
@bportlock: Is it really usefull and/or neccessary to serve all pages via https? IMHO it's much better to limit https to those pages where it is really needed. As far as I can see this is done e.g. by amazon.com and other big players.
"Is it really usefull and/or neccessary to serve all pages via https?"
Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
Who is it going to inconvenience? Will the server be complaining and demanding extra time off?The point is:
a) SSL protected connections will consume more CPU power
b) SSL protected pages are not cachable by your browser
All in all it's a matter of performance. As I already mentioned look at the big global players like amazon or ebay - they offer https only for critical pages.
>>OK - just put the whole website to run under https: - create an .htaccess file and put this in to it
Less secured... create a file with the alias of the directory You wish to Secure only, or the whole site!!!
in /etc/httpd/conf.d
Like for example squirrelmail
Create a file like... squirrelmail.conf
#
# SquirrelMail is a webmail package written in PHP.
#
Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
<Directory "/usr/share/squirrelmail/p lugins/squ irrelspell /modules">
Deny from all
</Directory>
Less secured... create a file with the alias of the directory You wish to Secure only, or the whole site!!!
in /etc/httpd/conf.d
Like for example squirrelmail
Create a file like... squirrelmail.conf
#
# SquirrelMail is a webmail package written in PHP.
#
Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
<Directory "/usr/share/squirrelmail/p
Deny from all
</Directory>
ASKER
@wb, I didn't understand. Can you explain where to start.
Basically, what I want is to make only 5 pages secure out of 100 page approx.
I don't want to edit all the pages. Give me a solution that is not time consuming.
Thanks.
Basically, what I want is to make only 5 pages secure out of 100 page approx.
I don't want to edit all the pages. Give me a solution that is not time consuming.
Thanks.
ASKER
Hi all,
This is the code I have now.
Here the first two rules work correctly. But once the https is called, it continues for all the other linked pages. For example, if I click 'About Us' page from the 'myaccount.php' page, the https is continued.
The last rule should redirect all https to http for all pages other than 'login.php' and 'myaccount.php'. I am not good in writing this rules.
So, any help is appreciated.
This is the code I have now.
Here the first two rules work correctly. But once the https is called, it continues for all the other linked pages. For example, if I click 'About Us' page from the 'myaccount.php' page, the https is continued.
The last rule should redirect all https to http for all pages other than 'login.php' and 'myaccount.php'. I am not good in writing this rules.
So, any help is appreciated.
RewriteRule login.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteRule myaccount.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteCond %{REQUEST_URI} !^(login.php|myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]
Do you use some kind of CMS or any other system that creates links on the fly? If you have static links pointing to some http-Address they should not be changed by the https-protocoll.
ASKER
No, links are not created on the fly. I want the last rule to work correctly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got answer from Google search!
Add this at the top of your https protected script:
Open in new window
CU
maxhb