---- tedd <tedd.sperling@xxxxxxxxx> wrote: > At 3:47 PM +0100 2/26/08, Per Jessen wrote: > >tedd wrote: > > > >> Sometimes I feel like a child here. > >> > >> Under what circumstances would one require that? > >> > >> If your script is in a https directory, isn't that secure? OR, is > >> this something else? > >> > >> Please explain. > > > >You might want to do such checks if your website (www.example.com) is > >accessible over http and https both. Typically you'll have separate > >content, but it might be possible for a user to accidentally access > >non-secure content over https which is just wasteful, or vice versa > >which is clearly a security risk. > > Let's take this scenario. > > I have a site that has http and https directories with the https > having a certificate. > > I want to sell stuff. > > I offer the items for review in the http directories. > > Then a user wants to purchase something and I direct them to a unique > script in the https directory and that script takes their sensitive > data and finalizes the sale. What's wrong with that? > > Why would I also want to check if "that a page is accessed only via a > secure connection?" > > Cheers, > > tedd The certificate/secure pages only need to be accessed via https, and those need to be the ones which gather personal/private data. It doesn't matter if someone browsing looks at them secure or non-secure. Put your data where it needs to be for the site to make sense to both the shoppers and the maintainers and use the server to handle the requires (make a /path/secure which contains the checkout pieces and require https for those via an .htaccess file) HTH, Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
