Greets,
I was wondering what the best way would be to do the following:
I have a user pull up a login web page form with two fields: user_id and user_password. The user_password field is set to type=password (e.g. **** for a 6 character password). I currently use an LDAP authentication model on NDS to authenticate the user_id with the password through a binding mechanism to NDS over ldaps://. This works just fine; it jockeys the whole transaction on the server side to the LDAP system over SSL with no problems. However, the text from the browser to the server is cleartext. This IS a problem.**
I have my Apache set up to support SSL (OpenSSL). I can serve https:// pages. However, what I would like to do is simply access my login page (the one with the form on it) via https:// (and no other way - users MUST submit passwords over SSL), but have all other pages be served over regular http:// (the data is not that sensitive).
What would be the best way to do this? Are there some tricks in Apache I should be using to force a single page (the login page) to be strictly https? Do I have to explicitly call https://loginpage.php from within my PHP scripts (like nav bars) or can Apache automatically know it's an https page and act accordingly? How can I get the alert message stating that you are leaving a secure page to go away without having the user modify their browser settings?
Or, can I create some sort of secure pipe from within an http PHP page that uses SSL to send the password and login name? The HTML isn't sensitive, it's the form data? If so, what would the best alternative for me be?
Any information or links would be greatly appreciated. I have poked around on my own a bit. I've looked briefly at cURL, and I have read the Wrox 'PHP Programming' book cover-to-cover. I am new to this, so any help will be beneficial.
Cheers,
Jason
