tags:

views:

97

answers:

5
+2  Q: 

https login form

What should i consider when switching a simple(user+pass) login form from http to https? Are there any differences when using https compared to http?

From what i know the browser won't cache content server over https, so page-loading might be slower, but other that that i know nothing about this.

Anyone has any experience with this things?

+4  A: 

When switching over to https consider that ALL web assets (images, js, css) must be coming from a https domain, otherwise your user will get warnings about unsecure transmission of data. If you've got any hard coded urls you'll need to dynamically change them to https.

Ben Rowe
yep, same goes for external links with redirect of some kind.
eugeneK
A: 

The security layer is implemented in the webserver (e.g. Apache), while your login is implemented at the business logic (your application).

There's no difference for your business logic to use http or https, by the time you receive the request, it's going to be the same, because you receive it decrypted. The web server does the dirty job for you.

As you say, it might be a little bit slower because the web server has to encrypt / decrypt the requests.

As Ben says, all the resources have to come from the secure domain, otherwise some browsers get really annoying (such as IE) with the warnings.

pakore
Setting cookies as https-only is done by the "business layer", not by the webserver...
ThiefMaster
+5  A: 

Do not mix secure and non-secure content on the same site as browsers will display annoying warnings if you do so.

Additionally, set cookies as https-only when the users uses https so they are never sent over a http connection.

ThiefMaster
+1  A: 

I would add that you should prefer to send your url parameters via post instead of get, otherwise you may be leaving private data all over the place in logfiles, browser windows, etc.

jskaggz
A: 

From what i know the browser won't cache content server over https

Provided you send caching instructions in the headers then the client should still cache the content (MSIE does have a switch hidden away to disable caching for HTTPS - but it defaults to caching enabled, Firefox probably has similar).

The time taken for the page to turn will be higher - and much more affected by network latency due the additional overhead of the SSL handshake (once encryption has been negotiated the overhead isn't that much, but depending on your webserver and how its configured you probably won't be able to use KeepAlives with MSIE).

Certainly there will be no difference to your PHP code.

C.

symcbean