• 5

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Using SSL on a subsection of my site

I just bought an SSL cert from GoDaddy and I want to install it on my web-server. But I don't want my whole website to be covered by the SSL. I only want the sign-up pages and the login and account pages.

I was told by a rep at my hosting company that an SSL is site-wide, and I will not be able to do this unless I buy a new site with a new domain. He said creating a sub-domain will not work, and case an error.

Is this true? How is it possible that I see many sites displaying normal http, and only change to https when you go to the login page, or the sign up page?

Your thoughts are appreciated. The site is running on a Windows IIS 7.5 server with ColdFusion and PHP and ASP.

    • Just curious, but if you've got the cert, why not make the entire site https? The extra overhead is unnoticeable these days, and if you're worried that people will go to yoursite.com instead of https, simply have a tiny vhost that answers on port 80 and redirects people up to port 443 when they arrive.
      • 1
    • I never thought of it that way, but I was under the impression that an SSL will slow down the whole site. My site is really split into two functions: member's area and store front. I'm not really interested in the store front having SSL. Those who sign up will only visit it once, and every time they want to login if their session has expired. Every one else can come and go as they please. So I thought it would be a waste to do this.

You'll have to activate SSL site-wide, but you should be able to have both SSL (tcp/443) and non-SSL (tcp/80) ports open. This way, if you have a link in your HTML that has http:// it will go to the non-secured port, but if you have https:// in your mark-up then the secure port will be used.

As an example, go to www.facebook.com: by default it is non-secure, but if you look at the HTML of the main page you'll find the following snippet:

<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

So when you type in your account information and hit "Login", the form is sent to the secure version, but when you do general surfing on the site it's unsecured.

Alternatively you could have www.yoursite.com unsecured, but have a "accounts.yoursite.com" or "login.yoursite.com" hostnames that are secured. You'd then pass a cookie to the browser that stored login state.

Note that if people's general surfing of your site is unsecured, then attackers can sniff the traffic and get the cookie and impersonate the users. This is what the recent Firesheep kerfufle was all about:

http://www.google.com/search?q=firesheep http://www.google.com/search?q=cookie+session+security

  • 4
Reply Report

Most of the answer will be application-specific and more programming oriented. In short:

  • Set up IIS to accept both HTTP and HTTPS connections to this host, and install SSL certificate as normally.
  • Program your application code (your PHP and Coldfusion stuff) to only emit HTTPS URLs to the relevant pages, and
  • Program your application code to verify that incoming requests to these pages was made over HTTPS (for security).

How to actually do this will depend a great deal on your application code. :-)

  • 2
Reply Report

Trending Tags