Make a few pages secure

Hi,

I've installed SSL in the server for a website. I want this only for a few pages where we collect the credit card information and processing pages. Website is written in php.

Any idea how this is usually done?
LVL 16
CWS (haripriya)Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max-hbCommented:
You could redirect all http access to your pages to the corresponding https connections.

Add this at the top of your https protected script:
<?php
if(empty($_SERVER["HTTPS"])) {
    $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    header("Location: $newurl");
    exit();
}
?> 

Open in new window


CU
 maxhb
0
Beverley PortlockCommented:
I'm not clear how far you have taken this process but...

1. Consider using a payment gateway instead, PayPal, WorldPay, Protx (SagePay), etc. Paypal is free. All of them remove the burden of PCI compliance which you will face if you do your own handling and PCI complaince is a PITA. http://www.pcicomplianceguide.org/pcifaqs.php

2. If you are not using a gateway then you will need an SSL Certificate from a signing authority (GeoTrust, VeriSign, etc) and an extra IP address on the webserver for SSL handing. You then need to add a new vitrualhost with the IP and port 443 enabled and in the virtualhost you then link the SSL certificate - see this example http://www.digicert.com/ssl-certificate-installation-apache.htm

3. You will need to sign up to a card processing service and they will provide you with APIs to access the service with the card details you have taken. The details will depend on the payment service.
0
CWS (haripriya)Author Commented:
@max-hb,
Thanks for the code. I will check and get back to this.

@bportlock,
Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc.
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

grouper15Commented:
hi cyberwebservice

you can call the starting page with https://servername/FirstCreditCardpage.php and when you leave on the last credit card page from the flow of ssl pages you can explicitly call http://servername/Someotherpage.php

You dont need to explicitly mention the protocal in between credit card pages
0
Beverley PortlockCommented:
"Credit card processing is just an example I gave, but actually for storing the bid amounts, details etc."

OK - just put the whole website to run under https: - create an .htaccess file and put this in to it

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open in new window


For sensitive data, consider storing it in encrypted form, it is not that hard. I have posted an encryption class to encrypt/decyrpt in this question

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_26868583.html#35068383
0
max-hbCommented:
@bportlock: Is it really usefull and/or neccessary to serve all pages via https? IMHO it's much better to limit https to those pages where it is really needed. As far as I can see this is done e.g. by amazon.com and other big players.
0
Beverley PortlockCommented:
"Is it really usefull and/or neccessary to serve all pages via https?"

Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
0
max-hbCommented:
Who is it going to inconvenience? Will the server be complaining and demanding extra time off?
The point is:
a) SSL protected connections will consume more CPU power
b) SSL protected pages are not cachable by your browser

All in all it's a matter of performance. As I already mentioned look at the big global players like amazon or ebay - they offer https only for critical pages.
0
My name is MudSystems EngineerCommented:
>>OK - just put the whole website to run under https: - create an .htaccess file and put this in to it

Less secured... create a file with the alias of the directory You wish to Secure only, or the whole site!!!

in /etc/httpd/conf.d

Like for example squirrelmail

Create a file like... squirrelmail.conf

#
# SquirrelMail is a webmail package written in PHP.
#

Alias /webmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  RewriteEngine  on
  RewriteCond    %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

<Directory "/usr/share/squirrelmail/plugins/squirrelspell/modules">
  Deny from all
</Directory>
0
CWS (haripriya)Author Commented:
@wb, I didn't understand. Can you explain where to start.

Basically, what I want is to make only 5 pages secure out of 100 page approx.
I don't want to edit all the pages. Give me a solution that is not time consuming.

Thanks.
0
CWS (haripriya)Author Commented:
Hi all,

This is the code I have now.

Here the first two rules work correctly. But once the https is called, it continues for all the other linked pages. For example, if I click 'About Us' page from the 'myaccount.php' page, the https is continued.

The last rule should redirect all https to http for all pages other than 'login.php' and 'myaccount.php'. I am not good in writing this rules.

So, any help is appreciated.
RewriteRule login.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteRule myaccount.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteCond %{REQUEST_URI} !^(login.php|myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]

Open in new window

0
max-hbCommented:
Do you use some kind of CMS or any other system that creates links on the fly? If you have static links pointing to some http-Address they should not be changed by the https-protocoll.
0
CWS (haripriya)Author Commented:
No, links are not created on the fly. I want the last rule to work correctly.
0
CWS (haripriya)Author Commented:
Everything works fine after adding the last rule in the .htaccess file of the virtual host for ssl.
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} !^(/login.php|/myaccount.php)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CWS (haripriya)Author Commented:
I got answer from Google search!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.