Jump to content

Having issues setting up secure pages on Shared Hosting


TeknikalTim

Recommended Posts

Seeking help setting up a secure page for Login and Registration Pages.  The trouble I have is I have hosting on streamline.net my non secure site is on (http://www.teknikaltim.co.uk) but If I create a login page that has the action set to my ssl hosting (https://teknikaltim.ssl-01.com/) the links will break also I heard it's not good practice to encrypt every page due to loading times.  I paid my hosting provider £30 for ssl and it's not working as I hoped it would IE have https://teknikaltim.co.uk/login/ .  This is going to make keeping sessions between the secure pages and non secure pages difficult?

 

Another Problem I have is the ssl site has PHP Version 5.1.2.  And I have loads of classes that preferably I would only want to load the ones I need in an auto loader but I get an Unexpected Function or ( in init.php on line 17

 

for the time being I have changed the code to include the classes but not all.

 

The pages I would like to make secure are:

http://www.teknikaltim.co.uk/login

http://www.teknikaltim.co.uk/register

http://www.teknikaltim.co.uk/servicecalls

 

they all transmit personal details i.e. Usernames, Names,Surnames,Email Addresses, passwords etc

 

I am wanting to learn so not looking for someone to do it for me but to point me in the right direction  ;)

 

Many thanks

Link to comment
Share on other sites

Assuming a couple of things here:

 

1.  No important data is in the session prior to login that cannot be "re-created" afterwards, and:

 

2.  The "SSL server" is the same physical machine as the non-SSL server and uses the same storage mechanism for $_SESSION data.


If both of these are true, you can start a new session on the HTTPS login page and then pass the session ID to the non-SSL pages via GET:

session_start(); //start a session
 
// do ... whatever your login stuff is ..
$authorized = my_auth_function($user,$pass);

if ($authorized == 1) {
   $sid = session_id();
   header("location: http://mysite.com/index.php?s=$sid");
}
Link to comment
Share on other sites

Hi,

 

first of all, running around with PHP 5.1 is suicidal. This version was abandoned back in 2006(!) and didn't receive any updates since then. If your hoster installed it for you, they're not doing their job.

 

Secondly, they gave you a wrong certificate. This one is only valid for secure39.prositehosting.co.uk, which probably isn't very helpful for you.

 

It is good practice to encrypt all pages. Don't let some moron tell you otherwise. If you only do partial encryption, this is the perfect opportunity for an attacker to jump in and prevent the user from ever establishing an encrypted connection. TLS (or “SSL” as you call it) really only makes sense if there are no loopholes.

 

Don't base your decisions on “I've heard somebody say something”. If you're worried about performance issues, you need to actually measure the performance. If it's fine, there is no problem. Otherwise, there are many different ways to optimize TLS.

 

 

 

 

 

 

 

Link to comment
Share on other sites

I replied to them after they told me they had 5.2 installed and said that I wasn't happy with the service they were providing me on the ssl server (which is a different physical machine from what they replied with)

Date: 2014-04-19 08:57:57 spacer.gif Ticket Number: 848862 spacer.gif From: Streamline.Net ( Support )

 

Hi (my full name was here),

Thank you for your query

We fully understand your situation and your need to have the most up to date version of the SSL space. As the SSL we offer is shared and is on a different platform than our regular hosting server, it has different version of PHP and Apache Server and at the moment, its version is fixed. We have this raised to our Engineers to see if this can be applied.

Please be aware at times it is not always possible to integrate all suggested changes into our systems (shared server), and for those that we do, there is a long development cycle to ensure the integration concludes in a stable and secure manner. Should there be any updates on our softwares and server, we shall inform customers immediately.

With your site development, though the SSL has special security patch, we confirm though that our regular hosting server is packed with most up to date firewall and built in security. You could still load your website files on the regular space. However, if SSL is part of the requirement of your site configuration, we are afraid, the shared SSL we offer may not provide you your necessity.

Should you not be able to use this facility, we can remove it and process a refund request from our higher Billing Team.

Kind regards
The Streamline.net team - Web hosting made easy

Find answers to frequently asked questions and search our range of how-to articles at the Streamline.net Support Centre http://www.streamlinesupport.net/

Link to comment
Share on other sites

so from the last reply I'm guessing I can't use a get request from the ssl server to link back to my unsecured pages with the session ID.  I don't want to put my site fully on the ssl because I don't like the look of the url that they provide on the ssl servers, but on the other hand people now know not to provide personal details on non https pages.  Should I go with the refund or stick with it?  I'm this (<-->) close to switching providers but since I have a multi site package and i'm hosting 2 (1 for a friend 1 for a cousin) other websites out of 10 in total including mine, i'm reluctant to switch.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.