Jump to content
Larry Ullman's Book Forums

Using Ssl Security Only On Some Pages Of A Site


Recommended Posts

I have a website that I am going to turn into a store and I am reading your book. It says that it might be best to use an ssl connection only on pages where it is needed. I don't know how to implement ssl only on specific pages. How do we do that. Right now I only know how to either add it to every page using the .htaccess file or not at all. What code do I use to only make some pages secure? Because if I only use https on some links, if I click on a page of my site that doesn't have https and then click on a page that does, my browser then makes all the other links I click on in my site use https too. Is that normal. That is also after I remove my .htaccess code that makes all pages contain https.

Link to comment
Share on other sites

The easiest and safest route is to just use SSL on all pages, forcing it in your .htaccess. 

 

Otherwise, to have some pages be SSL and others not, you need to use absolute URLs so that all links go to the HTTPS or HTTP version accordingly, and then you would enforce HTTPS for certain pages in your .htaccess.

Link to comment
Share on other sites

  • 2 months later...

I am trying to do this in the tutorial for the coffee shop site. I have set up a virtual host on my computer's Apache server called clever-coffee.net. It is listening on Port 80. Where I am tripped up is going to the checkout page for the coffee shop. I wanted to do as the original poster did, which was have all pages unsecure (http) until checking out, and then go to https.

 

I have done a lot of Googling and searcing Stack Overflow and can't find a solution to "hand off" from http to https. I thought that the .htaccess file and the Apache vhosts-httpd.conf files were the key. However, no matter what I read and tried, I can't shift to https.

 

This is my .htaccess file:

 

<IfModule mod_rewrite.c>
    Options +FollowSymLinks -Multiviews
    RewriteEngine On
    RewriteBase /
    
    # this prevents access to "html" systems folder to 403 Forbidden
    RedirectMatch 403 ^.*/html/index\.php$
    
    # Check to see if user is attempting to access valid file,
    # such as image or css document.
    # If false, sends request to index.php.
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    # sales:
    RewriteRule ^shop/sales/?$ sales.php
    
    # primary categories:
    RewriteRule ^shop/(coffee|goodies)/?$ /shop.php?type=$1
    
    # specific products:
    RewriteRule ^browse/(coffee|goodies)/([A-Za-z\+\-]+)/([0-9]+)/?$ browse.php?type=$1&category=$2&id=$3
    
    # For HTTPS pages:
    RewriteRule %{HTTPS} off
    RewriteRule ^(checkout\.php|billing\.php|final\.php|admin/(.*))$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

<IfModule !mod_rewrite.c>
    # If mod_rewrite is not installed, all 404s can be send to index.php
    ErrorDocument 404 /index.php
</IfModule>

 

And httpd-vhosts file:

 

<VirtualHost *:80>
DocumentRoot "/usr/docs/clever-coffee.net"
ServerName clever-coffee.net
ServerAlias www.clever-coffee.net
<Directory "/usr/docs/clever-coffee.net">
AllowOverride All
Require local
</Directory>
</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/usr/docs/clever-coffee.net"
ServerName clever-coffee.net
ServerAlias www.clever-coffee.net
SSLCertificateFile "/private/etc/apache2/ssl/clever-coffee.net.crt"
SSLCertificateKeyFile "/private/etc/apache2/ssl/clever-coffee.net.key"
<Directory "/usr/docs/clever-coffee.net">
AllowOverride All
Require local
</Directory>
</VirtualHost>

Link to comment
Share on other sites

I'd first confirm that going to an HTTPS address directly works, just to determine whether this is an issue with your redirect or with your HTTPS setup. Second, keep in mind the .htaccess file is just supposed to prevent accidental non-secure access to certain pages. Your HTML should use HTTPS in the links to those pages.

Link to comment
Share on other sites

 Share

×
×
  • Create New...