On Tue, 2008-02-26 at 10:57 -0500, Andrew Ballard wrote: > On Tue, Feb 26, 2008 at 10:16 AM, tedd <tedd.sperling@xxxxxxxxx> wrote: > > At 3:47 PM +0100 2/26/08, Per Jessen wrote: > > > > >tedd wrote: > > > > > >> Sometimes I feel like a child here. > > >> > > >> Under what circumstances would one require that? > > >> > > >> If your script is in a https directory, isn't that secure? OR, is > > >> this something else? > > >> > > > > >> Please explain. > > > > > >You might want to do such checks if your website (www.example.com) is > > >accessible over http and https both. Typically you'll have separate > > >content, but it might be possible for a user to accidentally access > > >non-secure content over https which is just wasteful, or vice versa > > >which is clearly a security risk. > > > > Let's take this scenario. > > > > I have a site that has http and https directories with the https > > having a certificate. > > > > I want to sell stuff. > > > > I offer the items for review in the http directories. > > > > Then a user wants to purchase something and I direct them to a unique > > script in the https directory and that script takes their sensitive > > data and finalizes the sale. What's wrong with that? > > I'm not sure I totally understand what you're meaning by having > separate http and https directories. Assuming the directory where your > "https" scripts are stored is named "secure", what prevents someone > from browsing to http://yourdomain/secure/ rather than > https://yourdomain/secure/ ? The former would not be using SSL even > though you intend it to do so; the latter would. > > The other issue I see, if I understand your structure correctly, is > that any additional content such as images, external javascripts, > flash files, etc. would have to be stored in two locations so that it > could be included in both secure and nonsecure pages without throwing > warnings in the browser about displaying mixed content. (Technically, > you could do rewrites, symbolic links, etc. so that two paths resolve > to the same physical folder.) > > > > > Why would I also want to check if "that a page is accessed only via a > > secure connection?" > > Because you don't want someone entering information on a page that you > intend to be secure unless they truly are using a secure connection. > > > > > Cheers, > > > > tedd > > > > > Am I misunderstanding you somewhere? I don't think you are. I think Ted has been doing it the hard way... but the lightbulb may have just gone on :) Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
