php, how to send form data in a secure way?
https://stackoverflow.com/questions/9235324
-
28-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
i have a website that has a simple login form.
the form posts to login.php
inside login.php i check for username and password and redirect to a specific page.
All is good until i come across security. From PCI compliance i get this:
All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such re-direction occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that re-direction is not reliant upon the client (browser) side.
then i went into login.php and added this code at the top:
if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
}
If i try to login after this change the login process seems to go through fine, except im not sure that this solved the problem.
notes:
i cant set the website to be: https://www.website.com because this will throw a security warning. I do have a valid certificate though.
any ideas how can i fix this issue?
thanks
edit:
the security warning is about accessing an insecure website, the red rectangle asking me if im sure i want to go to this website and i can add it to the exceptions list
if i add the certificate under m the exception list, this alert happens only once
Soluzione
Your certificate may be valid, but it's not recognized by the browser as safe. You need to find out why the browser is saying it's not valid. Usually it's either been generated by a company using a root certificate that the browser doesn't recognize. You may need to switch certificates to get rid of the "red rectangle."
Altri suggerimenti
Are you sure your pages aren't including something via http transport, like a jpg or embedded object. You can tell the browser to use https for the page but if the page calls jpgs or other scripts or something, you're able to call those with http. The browser then thinks the page has secure and insecure objects and that can be an issue.
