On Tue, Feb 26, 2008 at 10:16 AM, tedd <tedd.sperling@xxxxxxxxx> wrote: > At 3:47 PM +0100 2/26/08, Per Jessen wrote: > > >tedd wrote: > > > >> Sometimes I feel like a child here. > >> > >> Under what circumstances would one require that? > >> > >> If your script is in a https directory, isn't that secure? OR, is > >> this something else? > >> > > >> Please explain. > > > >You might want to do such checks if your website (www.example.com) is > >accessible over http and https both. Typically you'll have separate > >content, but it might be possible for a user to accidentally access > >non-secure content over https which is just wasteful, or vice versa > >which is clearly a security risk. > > Let's take this scenario. > > I have a site that has http and https directories with the https > having a certificate. > > I want to sell stuff. > > I offer the items for review in the http directories. > > Then a user wants to purchase something and I direct them to a unique > script in the https directory and that script takes their sensitive > data and finalizes the sale. What's wrong with that? I'm not sure I totally understand what you're meaning by having separate http and https directories. Assuming the directory where your "https" scripts are stored is named "secure", what prevents someone from browsing to http://yourdomain/secure/ rather than https://yourdomain/secure/ ? The former would not be using SSL even though you intend it to do so; the latter would. The other issue I see, if I understand your structure correctly, is that any additional content such as images, external javascripts, flash files, etc. would have to be stored in two locations so that it could be included in both secure and nonsecure pages without throwing warnings in the browser about displaying mixed content. (Technically, you could do rewrites, symbolic links, etc. so that two paths resolve to the same physical folder.) > > Why would I also want to check if "that a page is accessed only via a > secure connection?" Because you don't want someone entering information on a page that you intend to be secure unless they truly are using a secure connection. > > Cheers, > > tedd > Am I misunderstanding you somewhere? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
