I have received SSL certification for my oscom开发者_StackOverflow社区merce website. I need to enable https:// for some particular pages.
can someone help?
Open includes/configure.php
and set ENABLE_SSL
to TRUE
.
As a more generic solution if you're using Apache...
if ( ! isset($_SERVER['https']) OR $_SERVER['https'] != 'On') {
header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
}
To access a certain page, you only need to call it with the HTTPS protocol, e.g. https://www.example.com
. That was the easy part :-).
One problem you will encounter is, that every secure page has to ensure itself, that it is called exclusively with this protocol. In my opinion this is done best in a generic way in the .htaccess file, so you don't have to think about implementing it in every page. An example:
http://www.martinstoeckli.ch/php/php.html#ssl_switching
This leads to another problem with the session cookie. For unsecure HTTP pages the cookie will be sent unencrypted and an attacker can hijack the cookie. Switching between secure and unsecure pages will make your session vulnerable. To prevent this you have two possibilities:
- Protect your whole site with HTTPS. That seems a bit of an overkill, but makes your life easier and shouldn't be a problem to big for todays servers.
- Protect your secure pages with a second cookie and leave your session cookie unsecure. An example of how to do it, can be found here: http://www.martinstoeckli.ch/php/php.html#ssl_nomim_cookie
Hope this gives you some ideas.
精彩评论