On Tue, 2008-02-26 at 10:16 -0500, tedd wrote: > At 3:47 PM +0100 2/26/08, Per Jessen wrote: > >tedd wrote: > > > >> Sometimes I feel like a child here. > >> > >> Under what circumstances would one require that? > >> > >> If your script is in a https directory, isn't that secure? OR, is > >> this something else? > >> > >> Please explain. > > > >You might want to do such checks if your website (www.example.com) is > >accessible over http and https both. Typically you'll have separate > >content, but it might be possible for a user to accidentally access > >non-secure content over https which is just wasteful, or vice versa > >which is clearly a security risk. > > Let's take this scenario. > > I have a site that has http and https directories with the https > having a certificate. > > I want to sell stuff. > > I offer the items for review in the http directories. > > Then a user wants to purchase something and I direct them to a unique > script in the https directory and that script takes their sensitive > data and finalizes the sale. What's wrong with that? Nothing. But you do need to manage what files show up in which directories. Me, I just put them all into a shop directory or whatnot and check what protocol is required for access. Then I only need to manage one directory when updating the code. > Why would I also want to check if "that a page is accessed only via a > secure connection?" Because you're restricting based on access, not based on directory structure. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
