I have a page that requires SSL because of secure content being transmitted. However I have a third party embedded form on the page which posts to a third party site which does not have an SSL Installed. It works fine except that I get an annoying message by my browser.
"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?"
Is there anyway I can get around this?
If you have no control over the third party application and they have no ssl enabled, than no
Only chance: If the third party has https enabled, you could try to modify the <form action="" attribute to use https, just after site load. But you told that they don't have.
A hacky last chance: You could serve a HTTPS proxy on your site that talks non HTTPS to the third party site. Then modifiy the form action after site load to use that proxy.
So my advices are:
Try to talk (email) to the third party and tell them about your problem. Maybe they will help.
If the first doesn't help than use my proxy attempt. Could be easily implemented in PHP. I can give an example if you want.
Related
I need to simulate from within an iframe in our site, which uses https and it's loaded only once upon the authentication on our site, the authentication into another site, which only uses http.
How can I do that?
We first tried loading into the iframe a page of our site from which the login form for the remote authentication is automatically submitted with javascript. This cannot be achieved because the http request from the form is blocked by the browser for security reasons. I must clarify that if we use http in our web too, the authentication is done without problems.
I'm not sure if using file_get_contents() will do the trick, because it's not a simple static page what we need to display. We need to keep any data from the remote login (cookies, etc) in the browser so that we can access other parts of the remote web (once I've signed in) from other places of our site. As far as I know, file_get_contents doen't provide any header.
Another alternative I've also considered is curl, using CURLOPT_RETURNTRANSFER=true and CURLOPT_HEADER=true and trying to manually set any cookies I get in the header. I'm not sure if keeping the session implies more actions though.
When I go to my Login page, my website cannot load captcha form on that page, because it's using HTTPS.
What changes I should add to my website to allow the captcha to load on my site when it use HTTPS ?
how to make it to work with HTTPS.
I'm using 3rd party captcha service from google. If I remove SSL, then with HTTP my website can load captcha. Also on other pages, google map cannot load too.
Typically https pages won't load http pages, because that could be a security risk. Fortunately, most 3rd party services allow both http and https access. Usually it's as simple as replacing the http in the code they provide with https. Obviously this depends on exactly which tools you are using, and some services from smaller companies aren't available over https at all.
I have a shared SSL certificate from my web host which (for this posts sake) looks like this:
https://some-ssl-cert/mysite
Going to that link would go to my site, and display it in https:// with a green padlock.
The normal site is http://
How do I display the main login for the website as https://?
Obviously I cannot tell or redirect my users to https://some-ssl-cert/mysite so I am very confused on how to implement this.
Lastly, when I need to send sensitive information on other pages that aren't https:// would I simply send that information to https://some-ssl-cert/mysite?
So for instance, if I needed to make a secure ajax request or something would I access the .php file via https://some-ssl-cert/mysite?
How do I display the main login for the website as https://?
You need an SSL certificate for the host name used for your site. You also need your host to support it.
Lastly, when I need to send sensitive information on other pages that aren't https:// would I simply send that information to https://some-ssl-cert/mysite?
If you need to send sensitive information, then you need to do it over HTTPS. If you are using plain HTTP then you need to redirect to the HTTPS site.
So for instance, if I needed to make a secure ajax request or something would I access the .php file via https://some-ssl-cert/mysite?
The entire webpage needs to be served over HTTPS. Otherwise:
It will be a cross-origin request and the ajax will fail (CORS/JSONP/et al excepted)
The non-secured page could be interfered with (e.g. JS added that would steal the securely acquired data).
How would you use https ?, would sending information via GET and POST be any different while using https ?
Any information and examples on how https is used in php for something simple like a secure login would be useful,
Thank you!
It will be no different for your php scripts, the encryption and decryption is done transparently on another layer.
Both GET and POST get encrypted, but GET will leave a trace in the web server log files.
HTTPS is handled at the SSL/TLS Layer, not at the Application Layer (HTTP). Your server will handle it as aularon was saying.
SSL and/or HTTPS is used to provide some level of confidentiality for data in transit between the web users and the web server. It can also be used to provide a level of confidence that the site the users are communicating with is in fact the one they intend to be.
In order to use SSL, you'll need to configure these capabilities on the server itself, which would include either purchasing (an authority-signed) or creating (a self-signed) certificate. If you create your own self-signed certificate, the level of confidence that the site is the intended one is significantly reduced for your users.
PHP
Once your webserver is able to serve SSL-protected pages, PHP will continue to operate as usual. Things to look out for are port numbers (normal HTTP is usually on port 80, while HTTPS traffic is usually on port 443), if your code relies on them.
GET & POST Data
Pierre 303 is correct, GET data may end up in the logs, and POST data will not, but this is no different than a non-SSL web server. SSL is meant to protect data in transit, it does nothing to protect you and your customers from web servers and their administrators that you may not trust.
Secure Login
There is also a performance hit (normally) when using SSL, so, some sites will configure their pages to only use https when the user is sending sensitive information, for example, their password or credit card details, etc. Other traffic would continue to use the normal, http server.
If this is the sort of thing you'd like to do, you'll want to ensure that your login form in HTML uses a ACTION that points to the https server's pages. Once the server accepts this form submission, it can send a redirect to send the user back to the page they requested using just http again.
Just ensure you're sending the correct headings when allowing files to be downloaded over ssl... IE can be a bit quirky. http://support.microsoft.com/kb/323308 for details of how to resolve
I am new to php, I can do a simple login page, e.g create form, submit form, process and authenticate in a php page and so on.
I read somewhere on the internet, and saw some big companies like banks, google and yahoo, their login form is in "https" not "http". So I try google what is "https" thing. Well, I could not say I fully understand what that thing is, but I think I know the concept, i.e. create a more secure login page.
I believe php could do it (cause I saw wordpress using https, and wp is using php). Is there any tutorial or can you guys give a sample code on how to do a secure login https page with php? Not necessary full code ( cuz I dun want to trouble you guys ), but if can give a full code, would me most appreciated :)
You need to buy a SSL certificate from a company like Verizon or InstantSSL. Then, you will need a web host who has Open SSL or another software for processing SSL certifcates installed.
When you purchase a certificate from Verizon/Instant SSL, they will give you some encrypted code using which you could configure your Open SSL software, and then having https:// urls will work.
This isn't something you can do using plain php.