Koobazaur Posted June 30, 2007 Share Posted June 30, 2007 After day of tweaking and configuring I finally managed to get SSL working on my Apache server. Hooray! Now, I am a little unclear about using it in regards to two things: 1) Forms - I am understanding that if I use a form to send POST data to a secure site (https) it will be automatically using the certificate (I did get a certificate dialogue when I tested it) is that correct? Is there any extra coding I need to do on my part to use it with PHP or just the standard form method post in an html file and $_POST['bla'] in my PHP ? 2) In order to transfer the data safely, how should I set up my form send -> data receive sites? a) The site with the form needs to be on the secure server (https://domain.com/form.php -> http://domain.com/receive.php) b) The receiving site needs to be on the secure server (http://domain.com/form.php -> https://domain.com/receive.php) c) BOTH sites need to be on secure servers (https://domain.com/form.php -> https://domain.com/receive.php) 3) Sessions... how do they work with SSL? Now, as I understand, whenever I refresh a page my browser sends the server a session cookie. If I am on the https:// secure protocl, does this cookie get encrypted as well? I.E. if using SSL am I safe from someone listening to the traffic and stealing the session ID? If so, should ALL my websites that use the session ("members area") be on the secure protocl (this forum doesn't seem to be) ? If not and SSL does not encrypt the cookie, is there any other method of protection I can use ? 4) If I set up my virtualhost in my Apache config file to an directory like secure_web/ so that when I type in https://blabal instead of http:// it retreives files from there, is my job done as a server-side administrator? Can i just put my code in that folder and link to it via https:// and not worry about anything else? Thanks for clarifications, I am still new to SSL and the documation is pretty lacking, so I am trying to figure how these things work. Quote Link to comment Share on other sites More sharing options...
ignace Posted June 30, 2007 Share Posted June 30, 2007 1) yes just use the _POST superglobals 2) b is recommended, c is even better 3) sessions, are cookies on the server, you should only be worried about session hijacking etc... more about session security, can be found within the source code of: http://pear.php.net/package/Auth 4) yes, your job is done, however i do not recommend to put secure files into the web root, i mainly put them in the real root now, this is my advise, and it is solely supported by my current knowledge so i sincerely recommend consulting other persons, who are more advanced in SSL greetz, Ignace Quote Link to comment Share on other sites More sharing options...
Koobazaur Posted June 30, 2007 Author Share Posted June 30, 2007 3) sessions, are cookies on the server, you should only be worried about session hijacking etc... more about session security, can be found within the source code of: http://pear.php.net/package/Auth Yes, that's exactly my concern - if SSL doesn't encrypt cookies then someone could hijack another person's session ID and, consequently, gain access to their account. I'll check out pear for DB stuff. However, I may be integrating my system with WordPress, so if anyone knows anything bad regarding WP's security I'd appreciate input on that. Quote Link to comment Share on other sites More sharing options...
Koobazaur Posted June 30, 2007 Author Share Posted June 30, 2007 So I read pear's auth and it gave me some extra ideas how to make my session less steal-able... But I still wonder if SSL encrypts sent cookies..? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.