Reply to Re: Authentication, https and security.

Your name:

Reply:


Posted by Peter Chant on 08/21/05 19:08

Gordon Burditt wrote:

>>> The page you fill in your login information should be https: . It's
>>> not good enough that the page returned after you press the Log In
>>> button is https: . There seem to be quite a few e-commerce sites
>>> that make this mistake.
>>
>>Gordon,
>>
>>I'm not actually using PHP for authentication, rather basic authentication
>>via Apache.
>
> It doesn't matter. If you send it via http, it's not encrypted.
>
>>That way both my php and anything else like documents and
>>images are dealt with by apache. However, if I errounously log in with
>>http to the port, it seems that the username and password dialog passes
>>the information unencrypted.
>
> There are a few ways to fix this problem:
>
> (1) Don't even *HAVE* a http server. https only. The browser won't
> send login information to a site it can't connect to.
>

I have not got a http server. However, as I am running https on a
non-standard port it is easy to accidentally specify http instead of https.
The https server then respondeds by giving an error message, but not before
asking the user to log on, which I would assume is an unencrypted log on.

> (2) Ok, you can have a http server, but all it should do is send
> redirects to the https server. This is much more convenient and
> less confusing for users than (1). Or you can have a http
> server, but it sends redirects to https for the portion of the
> tree that's supposed to be secure.

I have not!
>
> (3) Don't have any documents on the http server that are supposed
> to be on the https server. If you accidently try to connect to the
> http server when you meant the https server, you should get a 404
> error or a redirect to https. Login information isn't sent by
> the browser for pages that don't exist.
>

I have no documents on the http server, I'm not running one.

> Make sure you have absolutely NO http links that should be https
> links. For http links that have made their way into search engines,
> set up redirects to https. Use a different authentication realm
> (which makes the browser ask for a *different* username/password)
> and a different set of passwords for the http site as for the https
> site. Preferably you let *NO ONE* into the http site.
>
> You aren't using the same document root for http and https are you?
> Don't.
>
No.
--
http://www.petezilla.co.uk

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация