Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
grahamgr3

Using Ssl Security Only On Some Pages Of A Site

Recommended Posts

I have a website that I am going to turn into a store and I am reading your book. It says that it might be best to use an ssl connection only on pages where it is needed. I don't know how to implement ssl only on specific pages. How do we do that. Right now I only know how to either add it to every page using the .htaccess file or not at all. What code do I use to only make some pages secure? Because if I only use https on some links, if I click on a page of my site that doesn't have https and then click on a page that does, my browser then makes all the other links I click on in my site use https too. Is that normal. That is also after I remove my .htaccess code that makes all pages contain https.

Share this post


Link to post
Share on other sites

The easiest and safest route is to just use SSL on all pages, forcing it in your .htaccess. 

 

Otherwise, to have some pages be SSL and others not, you need to use absolute URLs so that all links go to the HTTPS or HTTP version accordingly, and then you would enforce HTTPS for certain pages in your .htaccess.

Share this post


Link to post
Share on other sites

I am trying to do this in the tutorial for the coffee shop site. I have set up a virtual host on my computer's Apache server called clever-coffee.net. It is listening on Port 80. Where I am tripped up is going to the checkout page for the coffee shop. I wanted to do as the original poster did, which was have all pages unsecure (http) until checking out, and then go to https.

 

I have done a lot of Googling and searcing Stack Overflow and can't find a solution to "hand off" from http to https. I thought that the .htaccess file and the Apache vhosts-httpd.conf files were the key. However, no matter what I read and tried, I can't shift to https.

 

This is my .htaccess file:

 

<IfModule mod_rewrite.c>
    Options +FollowSymLinks -Multiviews
    RewriteEngine On
    RewriteBase /
    
    # this prevents access to "html" systems folder to 403 Forbidden
    RedirectMatch 403 ^.*/html/index\.php$
    
    # Check to see if user is attempting to access valid file,
    # such as image or css document.
    # If false, sends request to index.php.
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    # sales:
    RewriteRule ^shop/sales/?$ sales.php
    
    # primary categories:
    RewriteRule ^shop/(coffee|goodies)/?$ /shop.php?type=$1
    
    # specific products:
    RewriteRule ^browse/(coffee|goodies)/([A-Za-z\+\-]+)/([0-9]+)/?$ browse.php?type=$1&category=$2&id=$3
    
    # For HTTPS pages:
    RewriteRule %{HTTPS} off
    RewriteRule ^(checkout\.php|billing\.php|final\.php|admin/(.*))$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

<IfModule !mod_rewrite.c>
    # If mod_rewrite is not installed, all 404s can be send to index.php
    ErrorDocument 404 /index.php
</IfModule>

 

And httpd-vhosts file:

 

<VirtualHost *:80>
DocumentRoot "/usr/docs/clever-coffee.net"
ServerName clever-coffee.net
ServerAlias www.clever-coffee.net
<Directory "/usr/docs/clever-coffee.net">
AllowOverride All
Require local
</Directory>
</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/usr/docs/clever-coffee.net"
ServerName clever-coffee.net
ServerAlias www.clever-coffee.net
SSLCertificateFile "/private/etc/apache2/ssl/clever-coffee.net.crt"
SSLCertificateKeyFile "/private/etc/apache2/ssl/clever-coffee.net.key"
<Directory "/usr/docs/clever-coffee.net">
AllowOverride All
Require local
</Directory>
</VirtualHost>

Share this post


Link to post
Share on other sites

I'd first confirm that going to an HTTPS address directly works, just to determine whether this is an issue with your redirect or with your HTTPS setup. Second, keep in mind the .htaccess file is just supposed to prevent accidental non-secure access to certain pages. Your HTML should use HTTPS in the links to those pages.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...