Having issues setting up secure pages on Shared Hosting

[TeknikalTim]

Seeking help setting up a secure page for Login and Registration Pages.  The trouble I have is I have hosting on streamline.net my non secure site is on (http://www.teknikaltim.co.uk) but If I create a login page that has the action set to my ssl hosting (https://teknikaltim.ssl-01.com/) the links will break also I heard it's not good practice to encrypt every page due to loading times.  I paid my hosting provider £30 for ssl and it's not working as I hoped it would IE have https://teknikaltim.co.uk/login/ .  This is going to make keeping sessions between the secure pages and non secure pages difficult?

 

Another Problem I have is the ssl site has PHP Version 5.1.2.  And I have loads of classes that preferably I would only want to load the ones I need in an auto loader but I get an Unexpected Function or ( in init.php on line 17

 

for the time being I have changed the code to include the classes but not all.

 

The pages I would like to make secure are:

http://www.teknikaltim.co.uk/login

http://www.teknikaltim.co.uk/register

http://www.teknikaltim.co.uk/servicecalls

 

they all transmit personal details i.e. Usernames, Names,Surnames,Email Addresses, passwords etc

 

I am wanting to learn so not looking for someone to do it for me but to point me in the right direction 

 

Many thanks

[dalecosp]

Assuming a couple of things here:

 

1.  No important data is in the session prior to login that cannot be "re-created" afterwards, and:

 

2.  The "SSL server" is the same physical machine as the non-SSL server and uses the same storage mechanism for $_SESSION data.


If both of these are true, you can start a new session on the HTTPS login page and then pass the session ID to the non-SSL pages via GET:

session_start(); //start a session
 
// do ... whatever your login stuff is ..
$authorized = my_auth_function($user,$pass);

if ($authorized == 1) {
   $sid = session_id();
   header("location: http://mysite.com/index.php?s=$sid");
}

[Jacques1]

Hi,

 

first of all, running around with PHP 5.1 is suicidal. This version was abandoned back in 2006(!) and didn't receive any updates since then. If your hoster installed it for you, they're not doing their job.

 

Secondly, they gave you a wrong certificate. This one is only valid for secure39.prositehosting.co.uk, which probably isn't very helpful for you.

 

It is good practice to encrypt all pages. Don't let some moron tell you otherwise. If you only do partial encryption, this is the perfect opportunity for an attacker to jump in and prevent the user from ever establishing an encrypted connection. TLS (or “SSL” as you call it) really only makes sense if there are no loopholes.

 

Don't base your decisions on “I've heard somebody say something”. If you're worried about performance issues, you need to actually measure the performance. If it's fine, there is no problem. Otherwise, there are many different ways to optimize TLS.

 

 

 

 

 

 

 

[TeknikalTim]

Thanks guys for your advice.  I have contacted my hoster to upgrade the php version on the server this afternoon but they haven't responded yet.  I guess I'll need to wait until tomorrow for there reply.  Happy Easter Friday

[TeknikalTim]

I replied to them after they told me they had 5.2 installed and said that I wasn't happy with the service they were providing me on the ssl server (which is a different physical machine from what they replied with)

Date: 2014-04-19 08:57:57  Ticket Number: 848862  From: Streamline.Net ( Support )

 

Hi (my full name was here),

Thank you for your query

We fully understand your situation and your need to have the most up to date version of the SSL space. As the SSL we offer is shared and is on a different platform than our regular hosting server, it has different version of PHP and Apache Server and at the moment, its version is fixed. We have this raised to our Engineers to see if this can be applied.

Please be aware at times it is not always possible to integrate all suggested changes into our systems (shared server), and for those that we do, there is a long development cycle to ensure the integration concludes in a stable and secure manner. Should there be any updates on our softwares and server, we shall inform customers immediately.

With your site development, though the SSL has special security patch, we confirm though that our regular hosting server is packed with most up to date firewall and built in security. You could still load your website files on the regular space. However, if SSL is part of the requirement of your site configuration, we are afraid, the shared SSL we offer may not provide you your necessity.

Should you not be able to use this facility, we can remove it and process a refund request from our higher Billing Team.

Kind regards
The Streamline.net team - Web hosting made easy

Find answers to frequently asked questions and search our range of how-to articles at the Streamline.net Support Centre http://www.streamlinesupport.net/

[TeknikalTim]

so from the last reply I'm guessing I can't use a get request from the ssl server to link back to my unsecured pages with the session ID.  I don't want to put my site fully on the ssl because I don't like the look of the url that they provide on the ssl servers, but on the other hand people now know not to provide personal details on non https pages.  Should I go with the refund or stick with it?  I'm this (<-->) close to switching providers but since I have a multi site package and i'm hosting 2 (1 for a friend 1 for a cousin) other websites out of 10 in total including mine, i'm reluctant to switch.

[TeknikalTim]

For now I've told them I wan't a refund on my ssl