what does SSL affect?

[dadamssg87]

I've been coding PHP for a while now and have never worked with e-commerce. Looking into start developing my own e-store. Payment gateways require your site to have SSL. Does SSL affect any of the PHP code? Why doesn't every PHP coded site have SSL if it protects your site? anything i should look out for? I'm not even sure how to implement the SSL but i want to get an idea of what i need to be prepared for. Thanks.

[gizmola]

You are aware of https:// and what that does?

 

This is more of a system administration and website configuration exercise. 

[dadamssg87]

Oh ok....i just wanted to double check. I didn't want to code something like i normally would, install the certificate and the php act up.

 

My understanding is that you have to apply to purchase an SSL certificate by inputting your business's information, get approved, and then somehow activate the certificate on your server. I've obviously never used it and can't seem to find any thing on the web that fully explains the process, from applying to implementing, and if it affects any of the server code, how much the things cost, and how long it generally takes to apply and implement it.

 

If anyone has worked with SSL certificated could point me to a tutorial or walk me through the process i'd be greatly appreciative.

 

Also, i realize this doesn't pertain to the PHP coding section now particularly, so if the admins would move the post that'd be cool too.

[JonnoTheDev]

The only think that you will need to consider is your actual HTML. On the pages that require SSL (https://) i.e your checkout, payment pages. Make sure that these HTML pages do not use absolute links containing a non https:// url. i.e

On the following URL https://www.yourwebsite.com/payment.php make sure the HTML contains nothing like:

<img src="http://www.yourwebsite.com/images/credit-card.jpg" />
or
<img src="http://www.paypal.com/images/paypal.jpg" />
or
<link href="http://www.yourwebsite.com/style.css" type="text/css" media="screen" rel="stylesheet" />

If you do then the browser will throw warning popups as you are including non-encrypted elements on an encrypted page. You may have seen this before on other websites.

 

 

To obtain and install a certificate for the first time is a bit daunting, however it really depends on the server and OS you are running. If you are on a Microsoft server then I cannot help. If you are running Linux on a WHM/cPanel server then there are screens in the control panel that will obtain and install a certificate on your domain. You can also speak to your web host, it's pretty easy really.

 

However, if you have your own dedicated server running Apache with SSH access you will need to do the following.

1. Make sure you have a spare IP address on your server. If not get one. It must be uniquie and not used by any other website on your server.

2. Generate a Certificate Signing Request using OpenSSL. If you haven't got OpenSSL install it using: yum install openssl. Follow these instructions: http://www.geotrust.com/resources/csr/apache_mod_ssl.htm

3. Purchase a certificate. You can get a cert using the CSR you have generated from http://www.pecdomains.com/ or http://www.godaddy.com There are loads to choose from.

4. Download the issued certificate & modify your Apache httpd.conf. You will need to upload the CRT & KEY file that you get to the paths you put into your httpd.conf file (usually /etc/httpd/conf/ssl.crt & /etc/httpd/conf/ssl.key). An example is here http://www.flatmtn.com/article/setting-ssl-certificates-apache (see from point 4). The host entry for your domain must use the IP address you added to the server earlier.

5. Restart your Apache web server (/service/httpd restart)

6. Update the DNS A record on your domain with the IP address you added to your server earlier. Wait for your domain to resolve to this address before you continue.

7. Test your website using the https:// protocol. If it works you can change the links in your website to use the https:// url when secure pages are referenced.

8. Done

 

It is a lot but your web host should also be able to help.

[pastcow]

Other things to consider are the version of SSL your going to enable on your site, SSLv2 / SSLv3, the ciphers you are going to permit, if your cookies and sessions are going to have the Secure flag set. You might also want to consider that there is increased latency when using SSL and using SSL might put a more significant load on your server.

[dadamssg87]

thanks for the tips. Good stuff to know.

 

Hey Neil,

 

i was under the impression that you just apply the SSL certificate to a certain directory and put all the files that handle the data you want secure in there. That doesn't seem to be the case if i shouldn't add non https links. I was thinking i would code the majority of the pages and files in a non-https directory and then once they've filled their shopping cart send them to the the checkout part which would be in the https directory. Am i completely wrong in thinking that i could do that? or should do that? or is the fact that i COULD do that but it would warn the user every time they'd switch from the normal to ssl certified directory?

[gizmola]

No you are not wrong, that is often what people do --> build the cart and then only send them to https on checkout.

 

If it is cleaner for you to keep the https scripts inside a particular directory that is fine.  But again, the https server is in essence a totally different apache vhost with its own configuration section.

 

The important thing described above, is that you can't mix http and https served elements on the same page without getting a bunch of obtrusive warnings, so you need to make sure that everything on your page (every .js, .css or image) is being served through https.  This is what he was referrring to.  For this reason it's probably going to be undesirable to have 2 copies of all those assets just so you can have them in a directory that you consider https:// only stuff.  You could however put the scripts there, and it might not be a bad idea, in that if anyone attempts to access those items using http:// you use a rule in the .htaccess file to redirect them to https://.

 

Quite honestly there is a lot of different techniques possible, and a fair degree of complexity.  Step 1 is just to get the https server configured properly.  If you're doing commerce then you'll need to buy a real certificate from an established cert vendor, and configure you apache.  If this is for an internal system or intranet application you can get by with a self signed cert. 

 

Get everything configured so that your whole site will come up under either http or https and then go from there, in worrying about these other issues until you have that working.

[dadamssg87]

I'm not sure i follow. You're suggestion here..

 

You could however put the scripts there, and it might not be a bad idea,

 

I plan on using CodeIgniter's MVC framework so i'm trying to figure out how to best use my directories. Would something like the following suffice?

 

regular Http directory - Hold all CodeIgniter's normal files

 

Secure Https directory - hold all images, css, javascript,

 

The thing i'm concerned with is how to pass session variables(shopping cart contents) from the regular http directory to the secure https directory. I would assume that session wouldn't be valid in the https directory. And I would also probably have to copy all of the normal codeigniter framework into the https because every webpage from a MVC requires several files from several directories. Guess i would just be better off in just using the https directory...

 

Also, I have cpanel on my hosting account and they look like they generate and provide SSL certificates free. These are the same as i would be buying from a 3rd party, right? Not sure what you mean by "real certificate". Thanks again.

 

 

[gizmola]

As for session -- you want the session to be valid for your entire domain.  It will survive the transition from http to https.

 

When you configure the vhost for ssl, simply have it map to the same docroot in the same way as your normal site.  You will then have the ability to serve up the same files as either http or https.  The only problem comes if you hardcoded urls into things, but since you are using a framework that should have url helpers i don't see that should be a concern.  I have never used CI so I can't speak to that specifically, but other people who frequent the site probably have so you can always make another thread indicating a CI specific question and probably will get a more specific answer on that.

 

The cpanel is going to automate making a self signed cert.  That is not acceptable for a website that is doing eccomerce.  You will need to pay for a cert from a real Certificate Authority.

 

In layman's terms, when you have a cert, it need to be cryptographically "signed" by a "certificate authority".  Browsers come with a pre-configured list of known CA's.  When you start an SSL connection and the certificate gets sent to the browser, a little handshake occurs where the browser checks with the CA to get check that they issued it, and that all the information matches.  The browsers are all configured to squawk if anything is amiss, and they will always display a message for self signed certificates (where you act as your own "unofficial" CA and generate all the cert and "sign" it, because you are not one of the official CA's that the browsers ship with.

 

When you buy a real certificate, there is a process involved where you have to provide information to the CA that identifies your business, and in general allows them to vouch for your entity.  This is part of the process in terms of ecommerce, and purely from a technical standpoint is key to preventing "man in the middle" exploits. 

 

 

[dadamssg87]

"man in the middle" as someone handling a transaction for a separate business, correct?