setting up secure pages and sessions

jgn

Dear Forum, I've been doing php for sometime but just doing my first secure site. I am usign shared ssl from my webhost. I setup my pages and tested a paymennt system and the test is ok but now need to move the pages that contain personal info to the secure folder. However I find that I cant reference my regular folders from the secure folders and my session variables are not being read from the secure folder. That could make sense because the whole essense is security but how do I set this up? Do I have to make copies of all the files (eg css, javascript) that are needed to make the pages work? How do I ensure the session is accessible so that I can pass info (eg the fact that a user is logged in) back and forth between secure and non secure pages?

etully

The reason that your sessions don't work anymore is that you're switching domains from www.yourdomain.com to www.your-isps-domain.com.

The solution, in my humble opinion, is to shell out the 18 bucks to get an SSL cert from rapidsslonline.com and use a web hosting company that will not force some obscure notion of secure folders on you. (By the way, I've tried the cert from Godaddy and it was not recognized by some major browsers. Rapidsslonline.com's cert works fine in all the major browsers).

It's true that you could make this work. There are tricks and hacks that will allow you to get your session to be recognized as you move from one domain to another. (The hacks involve putting invisible GIF's from your ISP's domain on your main web site and using PHP to write cookies onto the invisible gifs from their site). But why spend 10+ hours to learn to do it wrong when you could spend 18 bucks and do it right?

Also, when you use the "Share-Your-ISP's-Secure-Cert" trick, you are making yourself a little less secure. Imagine if I was shopping at your store and I noticed that your URL changes when you go into secure SSL mode. I could call up your ISP, sign up for web hosting service, put a web site there. Now, if any of your customers happen to come to my web site, I will be able to read all the cookies and sessions that you established for them on your secure site.

If you do it right (the normal way), there's no such thing as a "secure folder". You only have one web site - all your web files are grouped together. And all your files (no matter what folder they are in) can be served up in secure or unencrypted mode. That's the normal way of doing it. This idea of a "secure folder" is a hack that your ISP uses that allows you to piggyback on their secure cert.