Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion SSL certificate
SSL certificate
  • El Forum
    Guest
  •  
#1
07-04-2010, 12:29 AM

[eluser]alexaaaaaaaaaa[/eluser]
Hi, i'm reposting a old problem ... i need to install SSL certificate on my website.
The support told me to use https:// to edit the config file and to rewrite the url, but i don't want to have SSL certificate all over my website just on few pages.
Here's a brief of code
<?php $this->load->view('header'); ?>
<?php $this->load->view('sidebar'); ?>
<?php some code ?>
<?php $this->load->view('footer'); ?>

So the big question is how to "call" those pages via https ??

Thanks in advance.
  • El Forum
    Guest
  •  
#2
07-04-2010, 08:32 AM

[eluser]BrianL[/eluser]
TLS is always configured by the server, never the application. So it is generally not possible to require a page use HTTPS from the application, nevermind load a view with HTTPS or "call" a page with HTTPS. When views are put together they are not done with HTTP; that is CodeIgniter does not call static pages at http://example.com/view and put together the results, but loads the file locally. So the question how to "call" pages with HTTPS does not make sense. For example you would never say "How do I call files with HTTPS" when the file is on your hard drive. Yes, you could use $_SERVER but not only is this not ideal, it will make your application not portable and $_SERVER can actually be manipulated and should be treated like all superglobals like $_GET and so on; unreliable for security purposes.

Instead, use mod_rewrite (.htaccess) for Apache or mod_redirect for lighttpd to force redirect of specific URIs. You will want to do this anyway, so that people cannot type http://example.com/secure instead of https://example.com/secure (that is even if you figured out a way to call a page with HTTP say with socket programming someone could just entirely bypass your protection with a different access mechanism unless you used web server directives).

So the answer is, done properly this is not done through CI at all but by the webserver. I know this is not the answer you want, but it is the correct answer. If you want other one-line easy answers, there are many available since as you say this is an "old problem." But to be honest if you do not know enough to configure a web server you should not be using TLS at all since it will just provide a false sense of security.
  • El Forum
    Guest
  •  
#3
07-04-2010, 11:35 AM

[eluser]RickP[/eluser]
I have just started to use CI and like it very much but this is a potential problem.

Before using CI my code was effectively similar to CI but backwards. IOW, when a page executed the first thing that happened was that several variables specific to that page were set and then 'header.php' was included. The first lines of header.php check if the variable $safe was 'yes' and whether the url was http:// or https://. If the two didn't match then I would execute a header("Location:..." with the correct info and the same page.

Thus, pages that needed to be secure, and only those pages, used https://.
  • El Forum
    Guest
  •  
#4
07-04-2010, 04:39 PM

[eluser]BrianL[/eluser]
Depending on the implementation anyone can set $safe=yes by sending a custom payload. Unless you used a custom session handler to store $safe=yes in a database, it was vulnerable to session hijack especially on a shared webhosting. Not only that but any variables received from the user cannot be trusted, including $_SERVER. Simply look at the excellent user comments on the PHP manual to see that $_SERVER variables must be sanitized (for example if you do not sanitize $_SERVER['REQUEST_URI'] you are vulnerable to XSS). In addition rendering pages this way breaks the MVC framework since the first thing that should happen is routing to the correct controller, and the controller calling models or rendering views, not calling other controllers.

So in summary to implement such a scheme correctly you have to 1. use database 2. sanitize 3. break MVC, all to avoid learning regular expressions and mod_rewrite. This would somewhat make sense (mod_rewrite and Apache directives in general are a beast), except for the fact people have posted .htaccess code before and there's no need to learn anything, only cut and paste. So, 3-4 lines of code compared to 20-50 lines of code (to implement it securely)? I choose the former Wink

P.S. if your webhosting does not support .htaccess I would simply change web hosts, since a company that does not have the knowledge to offer their customers .htaccess is not one you want for highly secure sites.




Theme © iAndrew 2016 - Forum software by © MyBB