PHP, PCI compliance problem: How to?
https://stackoverflow.com/questions/7505362
-
25-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I've have a problem with the PCI compliance. Basically they want me to add https:// on every page where the password field is present. this is kind of wierd.
My form in index.php looks like:
<form method=post action="login.php" id="login">
<input type="text" size="16" maxlength="30" name="login" id="login_user" />
<input type="password" size=16 maxlength="20" name="pass" class="ifield" id="login_pass"/>
<input name="msubmit" type="submit" value="Login" />
</form>
I've tried to post to https: <form method=post action="https://test.com/login.php" id="login"> but the test it still fails.
How should I fix this problem?
المحلول
First, you will need to configure your webserver to support SSL. You will need to purchase an SSL certificate and configure your webserver to answer requests on both port 80 and port 443.
After you have completed these changes, you will be able to tell your form to post to the SSL version of your site via the URL you posted above.
If the compliance rules require it, you may also need to make the form itself load under the SSL version of the site. In this case, you can update all of your links to the form to point to the 'https://' version, or modify your webserver rules to forward all requests for the form to the 'https://' version.
نصائح أخرى
From an objective security (not PCI) standpoint, there is nothing wrong with filling in the form as you have it, then posting it via SSL to an https address. Whether the page on which the blank form was originally displayed was a secure page is irrelevant, though many people think otherwise (wrongly). Presenting your form on a secure page is marketing -- people feel more comfortable when you do so. Submitting it via https is the actual secure part.
Many PCI-compliance requirements are hypothetical or about marketing and the perceptions of security, as opposed to actual security. If your scanner is flagging you simply because the form is being presented on a non-SSL page, then you could legitimately dispute that finding, as there is no security impact. If the form in question, even when properly accessed, doesn't allow access to server management or private information, then you could also legitimately dispute the finding. However, if the process of logging in allows access to personal information or server management, then there are multiple reasons to make sure that it is submitted via a secure port.
