tags:

views:

81

answers:

3

I have a program written in PHP, and I'd like to make sure that login pages etc. are all served over SSL. Is there any good start to finish tutorial for doing so?

Also, does this affect my code in any way, or is it just a matter of getting a SSL cert, and setting up a server correctly?

A: 

It should not affect your code. Add modrewrite rules to your Apache config. Yes, just obtain an SSL cert (you'll need to pay to have it signed by Verisign or another certificate authority).

mcandre
+2  A: 

StartSSL
SSL certificates (class1) from StartSSL are free.
The site also contains information on installing the certificate.

Codewise
If your html code contains absolute urls ("http://domain.com/...") to:

  • stylesheets
  • images
  • javascripts

Internet Explorer will complain "This page contains both secure and non-secure items".
Use relative urls if you can, or link to "https://some-domain.com/..." urls.

Bob Fanger
A: 

Firstly a word of warning. if you are considering using SSL its because you have something to protect. Therefore take the time to understand what you are doing every step of the way. Security (not just SSL) is a minefield even for the experienced.

I don't know of any tutorials, but there are plenty of gotcha's you have to be aware of.

Rolling your own ssl cert for testing purposes is free, but you will need to install it on your server.

Most of the time your code does not need to be any different for an ssl page or non ssl as the code itself is ssl agnostic, but as Bob says you must be careful of things like images.

Also redirects can cause popups to warn the user of redirections.

To test if the code is being called from a browser using SSL check for the SSL flag $_SERVER['HTTPS'] this should be a non empty value if SSL is being used.

$ssl_is_on = $_SERVER['HTTPS'] ? true:false;

Personally I prefer to keep my SSL code in a separate folder altogether and use apache to direct all SSL connections to that folder. that way I can be confident a script that should be protected by SSL is not called from a non SSL connection.

If you are logging them in under SSL and then redirecting them to non SSL pages you may need to account for domains and cookies for example I always use a different domain for ssl normally https;//secure.blah.com and then redirect them to the non secure domain http;//www.blah.com so your cookie domain will need to be blah.com the default is the full domain name which means cookies for secure.blah.com won't be sent to www.blah.com and therefore your users will never be logged in.

Don't use this technique if you use a shared domain name otherwise you could have a problem with cookie information being leaked.

DC

DeveloperChris