NotionCommotion

Thanks Ch0cu3r, That's right! Guess I once knew that but forgot it.

Given the below rules and following browser input: user/joe/x RewriteEngine on RewriteRule ^user/(\w+)/?$ user.php?id=$1 Why wouldn't user/joe/ be matched? resulting in user.php?id=joex

I believe the only risk with cookies is when JavaScript gets involved. I used the following to prove it to myself: http://forums.phpfreaks.com/topic/292517-cookies-per-subdomain/?p=1496965. As you indicate, HttpOnly should elimiante the concern. In regards to the admin part, my hopes were to identify whether it was subdomain.mydomain.com/index.php or subdomain.mydomain.com/anyAdminName/index.php. If the later, I would use the DB to dermine if anyAdminName was the admin name for subdomain, and act accordingly. Also, if I understood you correctly, they wouldn't be accessing admin.php, but index.php in the admin directory? How could this be implemented?

Several reasons, but please continue reading as I think you are on to something with the admin part. joeq.yoursite.com can write cookies to .yoursite.com. I guess I need to live with this situation, or at least that joeq.sites.yoursite.com can write a cookie to .sites.yoursite.com. Might want to use other first level subdomains and not compete with joeq and the like over them. This is probably my primary reason. One level might make it more intuitive that the user is accessing a "site" domain. In regards to using /admin as the admin panel, that had been my original approach. Not only does it eliminate the need for another wildcard certificate, I could allow the user to change their admin folder name without the elusive multi-tier subdomain. Thank you; I will concider going back to this approach. My original implemenation included a directory in /http for every site and an index.php file (or symbolic link) in both /http/joeq/ as well as /http/joeq/admin/ which I really didn't like. How would you advise setting up Apache (without creating a directory structure for each microsite as I previously did) so that joe.sites.yoursite.com goes to one location and joe.sites.yoursite.com/admin goes to another? Or if they both go to the same location, being able to differentiate the two using $_SERVER and PHP? Furthermore, I might have something like joeq.sites.yoursite.com/index.php?x=1&y=2&z=3 and joeq.sites.yoursite.com/admin/index.php?x=1&y=2&z=3. Or if I get fancy, show it as joeq.sites.yoursite.com/1/2/3 and joeq.sites.yoursite.com/admin/1/2/3 and use Apache rewrite each. If I can't use fancy URLs, I suppose this is okay, but just need to know what I am getting into. Thanks

Thank you Jacques, I will probably end up going with public.mysite.com and admin.mysite.com with wildcards for each. Not ideal due to the reasons discussed previously (bobs_site.public.mysite.com can write cookie to parent .public.mysite.com). Also, I wanted to give the ability of the owner of the microsite to change their admin domain (i.e. bobs_site.admin.mysite.com is changed to bobs_site.randomname.mysite.com). I suppose I could do so, and inform the user to expect the browser to state it is untrusted. If so, I probably also should put another domain level in place so it will look like bobs_site.randomname.admin.com in order to keep control of my first level subdomain space. Turns out https://www.digicert.com/ssl-certificate-comparison.htm doesn't offer multi-level subdomains. That being said, their customer service appears to be stellar.

Same old problem: http://forums.phpfreaks.com/topic/292550-two-sessions-in-a-given-script/ I have a site called mydomain.com and you can sign up to get your own microsite called public.jacques.sites.mysite.com with a backend called admin.jacques.sites.mysite.com.

I asked StartSSL the following, and below is their reply. I suppose given the low price, I shouldn't be surprised. My intent was to have domains such as bla.someSpecificSubSite.sites.example.com. Requiring a separate certificate for each someSpecificSubSiteis not an option. Is this typical?

Thank you for your reply Jacques. Is this what you are looking for? Are they talking about my Linux servername? If so, how could that work if one had multiple VirtualHosts operating on the same machine with different certificates? bbb.bbb.sites.example.com uses an invalid security certificate. The certificate is only valid for the following names: *.example.com, example.com (Error code: ssl_error_bad_cert_domain) EDIT. Ah, I think I have a clue. The browser doesn't have a problem with https://blabla.example.com/, only when there is a second level subdomain.

This is a long post, but most of it is backup information, and I hope I don't scare you away. I created a self signed signature as follows: # Create the key openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out key.pem # Create the certificate signing request openssl req -new -key key.pem -sha256 -days 365 -out csr.pem # Remove pass-phrase from the key cp key.pem key.pem.tmp openssl rsa -in key.pem.tmp -out key.pem rm -f key.pem.tmp # Sign the certificate. openssl x509 -req -in csr.pem -signkey key.pem -sha256 -days 365 -out crt.pem cp key.pem /etc/pki/tls/private/key.pem cp csr.pem /etc/pki/tls/private/csr.pem cp crt.pem /etc/pki/tls/certs/crt.pem rm -f key.pem rm -f csr.pem rm -f crt.pem I've since gotten a Class 2 certificate from StartSSL so I will not need the above created crt.pem. I used the content in csr.pem above, and saved it as /etc/pki/tls/certs/startssl.crt. I set it up using example.com as the primary domain and *.example.com as the secondary domain. /etc/httpd/conf.d/ssl.conf includes more, but for discussion purposes, includes the following: LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost _default_:443> SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateKeyFile /etc/pki/tls/private/key.pem #SSLCertificateFile /etc/pki/tls/certs/crt.pem SSLCertificateFile /etc/pki/tls/certs/startssl.crt SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem SSLCACertificateFile /etc/pki/tls/certs/startssl.crt </VirtualHost> /etc/httpd/conf/httpd.conf includes the following: ... ServerName example.com ... NameVirtualHost *:443 <VirtualHost *:443> SSLEngine on SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL #SSLCertificateFile /etc/pki/tls/certs/crt.pem SSLCertificateFile /etc/pki/tls/certs/startssl.crt SSLCACertificateFile /etc/pki/tls/certs/startssl.crt SSLCertificateKeyFile /etc/pki/tls/private/key.pem SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem ServerName example.com ServerAlias *.example.com DocumentRoot /var/www/html </VirtualHost> When I restart httpd, I get the following: [root@vps tls]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@vps tls]# tail /var/log/httpd/error_log [Thu Jan 22 12:25:24 2015] [notice] caught SIGTERM, shutting down [Thu Jan 22 12:25:24 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jan 22 12:25:24 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu Jan 22 12:25:24 2015] [notice] Digest: generating secret for digest authentication ... [Thu Jan 22 12:25:24 2015] [notice] Digest: done [Thu Jan 22 12:25:24 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu Jan 22 12:25:24 2015] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.18 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations [root@vps tls]# tail /var/log/httpd/ssl_error_log [Thu Jan 22 12:25:24 2015] [warn] RSA server certificate wildcard CommonName (CN) `*.example.com' does NOT match server name!? [Thu Jan 22 12:25:24 2015] [warn] RSA server certificate wildcard CommonName (CN) `*.example.com' does NOT match server name!? [root@vps tls]# When I access the site, the browser states: This Connection is Untrusted Questions... Does not the actual VirtualHost extend the _default_ VirtualHost? Why is SSLEngine on required in both (seems to have error when I remove it in the actual VirtualHost)? Should the keys be in the _default_ VirtualHost, or the actual one, or both? Seems like some of the directives needs to be in both which surprised me as I thought one was extended off the other. When is SSLCertificateFile and SSLCACertificateFile required? Why the difference? Why the errors and untrusted connection? Thank you

Short answer is yes. It is more of a JavaScript question. When the user changes the field, you send an Ajax request to the server, and then your PHP will check it against the DB and send back a status. Do you use jQuery? If so, there is a validation plugin which has a remote method which will do what you are looking for.

Your script has no choice but to redirect to google or msn. Get rid of the else statement and second redirect to msn, and just display your form. Also, please use the code tags <> around your script. Lastly, try to make your script look "pretty". Not only is it easier for others to read, doing so will prevent you from making simple mistakes. While I never used them, a quick Google search of "online php beautifier" produced many results such as http://beta.phpformatter.com/ and http://phpbeautifier.com/. <?php function redirect_to($new_location) { header("Location: " . $new_location); exit; } $page_ok = $_POST['firstName']; if ($page_ok == "userFirstName") { redirect_to("http://www.google.com"); } /* else { redirect_to("http://www.msn.com"); } */ ?>

Don't they already have them in your div list? Or are you trying to create this list? What are you starting with? Some array which contains what?

I agree with post but with a caveat. If you are just starting off, you want it to be fun and you want to see results. The basics of security are not fun (at least for the most of us ), but agree are important. I recommend using PDO and prepared statements as it will get you 90% there, and putting a sticky note on your monitor to learn more before you deal with other people's sensitive information.

Don't know why, but this just struck me as humorous. Well, I'm a user. Some times, I just need to protect me from myself!

Thanks Jacques, Fine job stating your case, and I agree with most if not all of it. Am a little curious if the greater community agrees, however, I feel I have what I need. Thanks again. Michael

I know of two approaches, and there are certainly more. Post the data to the server using a traditional form. If the data validates, save the data in the db and use http://php.net/manual/en/function.header.php with location to send to the next page. If it doesn't validate, redisplay the page (potentially redirecting as well). Post the data using Ajax. If the data validates, save the data in the db, echo success status (1), and use JavaScript to redirect to the next page. If it doesn't validate, echo no success status (0), display the error, and don't change the page.

I suppose I mostly agree with your rational. One aspect which I am undecided is the id. Unlike the file or page, it doesn't identify a resource, only a record in the database. Not sure what you mean. There's a special parameter for requests triggered through Ajax? Why? Based on the page, I will create a controller object, and then evoke the the applicable task method using $controller->$task. Do you disagree with this approach? If so, why? class controller_blog extends controller { public function display() { //Displays page HTML based on get request } public function searchBlogs() { //Displays JSON list based on get request } public function addComment() { //Adds comment based on POST request. Returns JSON or text to indicate status } public function addLike() { //Updates DB to indicate user likes blog based POST request. Returns JSON or text to indicate status } public function logoff() { //Logs user off based on POST request. Will really be a method in controller and not controller_blog } }

Good, I am glad you say so as I didn't agree with including all those parameters in the URL. You indicate that page (blog-posts) and id (321) should be URL parameters as they identify the resource. Okay, but so what? Why not put them all in the body? And what about task (typically only needed for Ajax requests when not display for GET requests or save for POST requests)? I suppose it identifies a resource, but will be different for GET and POST requests.

Ah, I think I understand your position. If I have a form with various parameters, put the ones which might change state in the body and put the rest in the URL (i.e. id, page, controller, task, CSRF, etc). Correct? Why do you recommend doing so? Putting them all in the body allows them to be all accessed via the $_POST global. Also, please provide your thoughts on using the $_REQUEST global.

Typically, I use the same form for editing an existing record and adding a new record, but use ID equal to zero for a new record. So, you recommend putting id of 0 in the URL? Also, if I had two forms on a given page who's action specified the same page/controller, I would need to also include a task in the URL and not the body? Makes coding a little more intensive unless I use the $_REQUEST superglobal. Previously, I had not used $_REQUEST since I wish to know exactly where it is coming from and didn't want it to include $_COOKIEs. But maybe I should be using it?

I don't think so. It just appears as both since PHP decided to copy the URL parameters as the $_GET global.

Thanks Psycho, Note that your referenced page wasn't included. I understand how GET requests should be used only for idempotent methods, and that is not what I am asking. It is my understanding that a request is either GET or POST and not both. But, my form displayed in my original post will populate both the GET and POST global variables. Whether a variable is included in the action doesn't indicate whether it will use a GET or POST request, but it does determine whether the GET global which is rather confusing.

Not sure I understand. If I am saving record id #321 for page #4 with new values for username and blogtext, are you saying that id and page (and task unless I default to “save” for post requests) should be in the url and username and blogtext should be in the body?

After wasting two hours investigating Apache and JavaScript which I suspected was redirecting my request, I realize my silly mistake. Previously, I always hard coded an action in my forms. I wish the form to be submitted to itself, and I recently started not including an action. Well, it works fine until you have a variable in both GET and POST, and you wish to use that variable to make a decision. Other than giving POST higher precedent than GET for this type of application, is there anything else I should have learned. <?php echo('<pre>'.print_r($_POST,1).'</pre>'); echo('<pre>'.print_r($_GET,1).'</pre>'); echo(isset($_GET['task'])?$_GET['task']:(isset($_POST['task'])?$_POST['task']:'default')); echo('<hr>'); ?> <!DOCTYPE html> <html> <head> <title>post and get</title> <meta charset="utf-8" /> </head> <body> <a href="testget.php?task=display">Link</a> <form method="post"> <input type="submit" id="save" value="Save" /> <input type="hidden" name="task" value="save" /> </form> <form method="post" action=""> <input type="submit" id="save" value="Save" /> <input type="hidden" name="task" value="save" /> </form> <form method="post" action="testget.php"> <input type="submit" id="save" value="Save" /> <input type="hidden" name="task" value="save" /> </form> </body> </html>

Yea, I know. The problem was with my poor naming convention of under/over. I use Redhat/Centos who's default is /var/www/html/ as the Apache root. As such, I typically put files related to the website but not web accessible (my php script and private documents) in /var/www/, and either put a single index.php or symbolic link in /var/www/html/