I know the general definition but I need more details on how to implement them in general and PHP in specific, and what exactly are the features I gain from them?
+4
A:
SSL stands for "Secure Socket Layer", and it's a method of encrypted HTTP communication (among other things). It encrypts the traffic between a web browser and a server, making it possible to send secure data without fear of eavesdropping.
SSL is a web-server level technology, and has nothing to do with PHP. You can enable any web server with SSL, whether it has PHP on it or not, and you don't have to write any special PHP code in order to make your PHP pages show up over SSL.
There are many, many guides to be found on the internet about how to set up SSL for whatever webserver you might be using. It's a broad subject. You could start here for Apache.
zombat
2009-07-29 06:47:40
SSL is now TLS http://en.wikipedia.org/wiki/Transport_Layer_Security
TWith2Sugars
2009-07-29 09:05:53
+1
A:
some webservers are configured to mirror the whole site, so you can get every page over http or https, depending on what you prefer, or how the webbrowser sends them around. https is secure, but a bit slower and it puts more strain on your hardware.
so you might implement your site and shop as usual, but decide to put everything from the cart to the checkout, payment and so on under https. to accomplish this, all links to the shopping cart are absolute and prefixed with https:// instead of http://. now, if people click on the shopping cart icon, they're transfered to the secure version, and because all links from there on are relative again, they stay there.
but! they might replace the https with http manually, or go on the unencrypted version using a malicious link, etc.
in this case, you probably might want to check if your script was called over https (_SERVER["SERVER_PROTOCOL"], afaik), and deny the execution if not (good practice). or issue a redirect to the secure site.
on a side note: https is not using ssl exclusivley anymore, tls (the successor to ssl, see rfc2818) is more modern
rule of thumb: users should have the choice if they want http or https in noncritical environments, but forced to use https on the critical parts of your site (login/cart/payment/...) to prevent malicious attacks.
Schnalle
2009-07-29 09:02:20
very interesting! Can you provide more info on 2 points: 1- how can they call my "https : //example.com/pay.php" by calling "http : //example.com/pay.php" ? if my file "pay.php" is located in the https folder shouldn't they get something like "Page Not Found"? 2- from a developer side, i don't really need to worry about the SSL or TLS how its being configured on the server since there isn't much I can do about them, is there? Basically there will something like 2 folders set "http" and "https" on the server and I get to choose what to do from there on, right?
MAK
2009-07-29 10:15:59
if there are 2 different folders, then the site isn't mirrored, and the above stuff doesn't really affect you. what i was talking about is that some servers are configured in a way http and https are both pointed to the same folder. and yes, on the dev side it doesn't make a difference if there's SSL or TLS.
Schnalle
2009-07-31 07:37:01