http and https -- getting it right

zzz

My new server allows us to use the same directory for SSL and non-SSL content.

This appears to be quite a convenient option to make some of our scripts work without hastling what files to pull etc.

However I assume we'd need to use absolute paths for images and other includes in order to avoind "non-secure content present..." errors. Am I correct?
If yes, how secure is it to use absolute path for images; won't I be giving too much security information?

Couldn't I just use some sort of re-write in that case to display a path that will not give too much information? If yes, please point me into the right direction how to do that.

zzz

OK, I might've lived up to my signatore and overcomplicated the matter as always.

Relative paths is all I needed. Got it.

Another question: because I use the same directory for SSL and non-SSL content, ths using relative paths, I do not wish to keep the entire site under HTTPS once someone clicks on a secure link. How do I get them back to HTTP is the area does not need to be protected. SSL sure slows things down a bit. Is placing http://domain.... for unsecured links the only way to go?

toplay

You don't necessarily have to specify absolute paths but can do relative too (i.e. ../../pic.jpg). The important thing is not to specify "http://" when you're on a secure page (and vice-versa). So, you either use absolute/relative paths, or you have to dynamically change "http://" links to "https://" (or vice-versa).

FYI: A function to detect if you're on a secure page or not:
http://www.phpbuilder.com/board/showpost.php?p=10660408&postcount=3

hth.

zzz

Yes, I figured out what path to use and it works fine. My questions is hot to get them back to HTTP on the pages that do not require HTTPS.

Also i was using this to detect HTTPS:

if ($_SERVER['SERVER_PORT'] == 443) {
   echo "HTTPS";
}

toplay

I posted before I saw your second post here. Anyway, yeah you can use that. I just don't like to rely on the port number. The SSL is usually on port 443, but it's customizable and a particular web host might use something else, and I like my code to be portable (in case I change hosts).

As to your last question: I assume you know about the header() function already. Once you know you're on a secure page (through the means we've already discussed) then use the header with location redirect to transfer the visitor/user to a non-secure ([url]http://)[/url] page.

Example:

// or with my function: if (secureConnection()) {
if ($_SERVER['SERVER_PORT'] == 443) {
   header('Location: http://www.example.com/script.php');
   exit;
}

🙂

zzz

I think I'm getting a bit confused. This is a good solution to detect whether you're under https or not and display headr correctly. My problem is that both my SSL and no-SSL contect is under the same directory. So, once you click to a page that requires HTTPS, every time ou click on any other link it'll just keep openning pages under HTTPS, since i use relative links.

Said that, I believe I have two ways to change that: Change the links to non SSL pages to absolute path i.e. http://domain... or create a list of pages that have to be non HTTPS and make my function sniff them.

Am I getting too far into the woods here?

😕

toplay

What I said in my previous post still holds true. Whenever you know you want to go from secure to non-secure, you have to redirect using the http:// (even if it's the same page) and all your relative links should be fine (because you manually and intentionally switched from https: to http🙂.

zzz

No, I understand I need to use HTTP. My problem is that I use one header include file...