Re: SSL php code

From: Sean (sdemerchREMOVE_at_REMOVEhotmail.com)
Date: 01/13/05

• Next message: Sean: "Re: SSL php code"
• Previous message: Sean: "Re: SSL php code"
• In reply to: Spam Bill Gates: "Re: SSL php code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Wed, 12 Jan 2005 16:31:14 -0800

On Wed, 12 Jan 2005 20:26:07 GMT, Spam Bill Gates
<spqmbillgates@microsoft.com> reverently intoned upon the aether:
>
> Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login.

While all your links may be https://... there is no way to guarantee
that a user will no change the address bar to reference the page as
http://...

>
> I want some standardized php code on every page to verify with every hit that it is being accessed
> via ssl.
>
> If it is not no information should be displayed to the user other than a redirect to the login
> page.

See the code snippet below. This will securely redirect to a login
page. My original code snippet simply redirected the browser back the
same page using ssl rather than unencrypted communications.

> I plan to exclusively use the post method when a user enters data into one of my pages that
> will be self referenced to the php page that sent it. The data entered by the user will be pulled
> up with the self referenced page and php code will do the appropriate sql insert/update/selects and
> display the appropriate results to the user.

Please make sure you validate all user input or you can end up
creating an easily hacked website with little effort on your part.
You might take a look at:

http://www.owasp.org/documentation/topten.html

as a starting point for securing your web application. All using
HTTPS/SSL does is encrypt the data between the web server and the
client, it in no way provides any security for the site as a whole.

Or visit google and try the following sets of search terms:

SQL Injection
Cross Site Scripting
Web Application Security

A site with more helpful info is:

http://www.securityfocus.com/infocus/foundations

>
> If I use your idea will my data thats sent with a post method have no problems if the user uses a
> ssl connection to my server?

Yes, if the user connects using SSL/HTTPS, then the POST data will be
properly transmitted. If they fail to use SSL, then the POST data
will be lost when they are redirected to the login page (see modified
code snippet below).

>
> My limited knowledge at this point makes me think I will not be able to get the data using a post
> method to the php code that needs it assuming the user is maintaining a secure connection to my
> server if I use your logic.
>
> I hope this makes sence. Is my concern unfounded???

Yes, the POST data will be lost on a redirect. But since the access
to the site was invalid losing the POST data is reasonable (if it is a
possible attack, do not trust the data).

This version of code will redirect a visitor to the login.php page if
they do not connect using SSL.

-------------------------------------------------------------------------------------

$site = 'www.whereever.net';

// Construct the proper https login string for this page.
$ssl_Secure_SCRIPT_URI = "https://$site" . $_SERVER[PHP_SELF];
        
// Ensure the user accesses this page using the secure URI, otherwise
// redirect them to the login page.
if( @strcasecmp($_SERVER[SCRIPT_URI], $ssl_Secure_SCRIPT_URI) != 0 ){
        header("location:https://$site/login.php"); // Redirect browser
        exit;
}

-------------------------------------------------------------------------------------

Beyond this, creating a login system in PHP is easy, creating a secure
login and session validation scheme is a lot more challenging.

hope this helps,

Sean

"In the End, we will remember not the words of our enemies,
 but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004

---

• Next message: Sean: "Re: SSL php code"
• Previous message: Sean: "Re: SSL php code"
• In reply to: Spam Bill Gates: "Re: SSL php code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Ace Password Sniffer : How does it work ? ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ... (microsoft.public.security) Re: How to use SSL for login page only ... If you just secure the login page, ... an SSL connection. ... Joe Kaplan-MS MVP Directory Services Programming ... I would then like to have a link to a login page so I can authenticate ... (microsoft.public.dotnet.framework.aspnet.security) RE: Strange behavior using SSL and "FORMS" authentication. ... otherwise you would not even get the login page ... (as I assume you have SSL for the whole site, ... Help Secure Forms Authentication by Using Secure ... >-The security certificate is valid. ... (microsoft.public.dotnet.framework.aspnet.security) RE: Encrypted or Not Encrypted ... To put it simply, when you type in the password, it's in the browser client on your machine. ... For your browser to connect to the secured destination it has to open SSL tunnel between your computer and that destination. ... Optimally they should enter their creds after ssl has setup the secure ... effect of having it redirect to a secure site in the first place. ... (Security-Basics) Re: From http:// to https:// ... > I have a login page that is secured with SSL and other non secure pages ... As Server.Transefer or response.redirect takes http by default. ... > standard method to transefer pages from normal to SSL page and vice versa. ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)