1

Sorry for the confusion. To clarify my question, the session will be created over ssl and will stay encrypted. While users browse using normal http, I'm asking if I "require" a ssl page that verifies the users' session, will it run in ssl or will it simply be a part of the parent page which is in http which will be unable to retrieve the session id because the session is saved in https.

I'm currently working on a secure member log in with php.

A log in form will redirect to a ssl url (i.e. https) to keep the password safe for people who are logging in using unencrypted network/wifi.

The only problem is, I can't think of any way to "securely" pass users' log in session from https to http.

So I was thinking to use "require_once" from php which includes a file url starting with https. And the included file will create a session under https and all I have to do is simply require the page in every authentication-required page.

The only issue is, I'm not too sure if the "required file" will run under https or the codes will simply be included in the parent page and run under http.

In other words, how exactly does include or require work (does the function run the code in the separate page or simply include the code in the parent page and run)? I searched php manual, but I was't able to find the answer. Also, I can't test it by myself because I don't have ssl license yet.

Also, any suggestion on building a secure log in using https (just for log in) in combination with http for any other user interface?

Improve this question
1
  • 1
    There'd be no point in protecting the actual login mechanics, if someone can just sniff the session cookie's value after things return to a normal unencrypted link. Commented Jul 4, 2011 at 20:24

3 Answers 3

Reset to default
1

include() and require() will only go 'external' and do an HTTP-type request if the path you're providing to them looks like a url (e.g. 'http://....'). Otherwise it's interpreted as a local file file request and does NOT involve the HTTP layer.

There's no practical difference to PHP if a script was requested via HTTP or HTTPS, except there'll be extra SSL-specific entries in $_SERVER. Includes/requires still work as they if the script was running in a non-SSL environment, and the script can still do CURL requests and whatnot. Remember that the SSL link is established by the server and the client browser BEFORE php is invoked, and applies only to do the client<->server communications. Anything the script does with external resources will only involve SSL if the resources requested themselves are done via a completely separate SSL request.

You cannot "turn on" SSL from within a PHP script. There's no mechanism in HTTP to dynamically migrate a link from a regular unencrypted port 80 to an encrypted port 443 within the same request. You can redirect the client towards an SSL url, but that involves a completely new HTTP request - the original request started as non-SSL and will stay non-SSL.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This answers my question. Thanks for the reply. I wonder how some sites like twitter&facebook use ssl for login and use http after login verification.
0

Edit: The below is an answer to the original question, which was phrased in a way that made it sound like the author only wanted the login page to be protected.

I assume that the reason you want to redirect back to HTTP is that the site contents itself isn't confidential, and that you only care about protecting the user's password and account. However, if you redirect the user back to HTTP after logging in, your site will be almost as insecure as if you didn't use HTTPS at all. Granted, HTTPS login will prevent the user's password from being sniffed, but anyone can use Firesheep or similar applications to steal the user's session id after login if you redirect back to HTTP - then, they can take over the account by changing the password (or simply act as the user without changing the password).

(While we're on the subject: why on Earth doesn't StackOverflow use HTTPS after login?) :-(

Improve this answer

14 Comments

That is why I'm trying to use require with https url so that the session stays safely behind ssl. The other pages will be processed on http, and my question was, if I use "require," with https url, will it run on ssl port?
Sorry for the confusion. To clarify my question, the session will be created over ssl and will stay encrypted. While users browse using normal http, I'm asking if I "require" a ssl page that verifies the users' session, will it run in ssl or will it simply be a part of the parent page which is in http which will be unable to retrieve the session id because the session is saved in https.
@jjj: That sounds better - but then, I can't answer, since I've almost never used PHP.
Why would stackoverflow encrypt our session? We don't have any sensitive information disclosed on the site. No encrypted transactions required, etc.
Well, I think that encrypting login is important because you will be sending your password to the site in plain text. I know that Yahoo used to use MD5 for hashing password (although I'm not too sure if they still do) before the plain password left the user's computer via javascript.
|
0

In order to maintain security, you need to ensure the https:// is in the user's address bar at all times. You can't just include a file and expect it to be secure.

Think of it this way. Say you have a form on http:// and you make a curl call to https:// @ Verisign to post a credit card payment. That unencrypted data can easily be intercepted before it reaches Verisign's secure page.

If it's SSL, keep it SSL throughout the entire session. You'll notice on bank sites, there is usually a login button which directs you to an https:// page containing the form - OR they mix it by grabbing your username on the http:// page and then posting that to the https:// page before asking for your password. US Bank does this just to get the user engaged on the home page.

EDIT: To respond to the new clarification. I would not let a user browse http:// pages while logged in via https://. I would add this logic: 

if(isset($_SESSION['LOGGED_IN_SSL']))
{
    if ($_SERVER['HTTPS'] != "on") 
    { 
        $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; 
        header("Location: $url"); 
        exit(); 
    } 
}

That would force the user to view the https:// version of whatever page he/she wishes to view.

Improve this answer

1 Comment

Sorry for the confusion. To clarify my question, the session will be created over ssl and will stay encrypted. While users browse using normal http, I'm asking if I "require" a ssl page that verifies the users' session, will it run in ssl or will it simply be a part of the parent page which is in http which will be unable to retrieve the session id because the session is saved in https.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.