Results 1 to 4 of 4
  1. #1
    Join Date
    Dec 2003
    Posts
    61

    Unanswered: need help with "secure login" checkbox

    I configured my webserver for ssl.

    when you go to http://mydomain.com I have a username and password login form.

    I want to add a checkbox that says - login securly.

    When the user checks the box, I want the formaction to change from http://mydomain.com/checkuser.php to httpS://mydomain.com/checkuser.php

    But that's difficult since the page is already loaded and php only changed the html before the page is loaded.

    Has anyone else ran into this issue before???

    Thanks
    Noam

  2. #2
    Join Date
    Feb 2004
    Posts
    533
    Quote Originally Posted by noamkrief
    I want to add a checkbox that says - login securly.

    When the user checks the box, I want the formaction to change from http://mydomain.com/checkuser.php to httpS://mydomain.com/checkuser.php
    Just changing the form action will not provide security. If the user types logon information on a non-secure form then sends it un-encripted to a secure page on your site, its exposed in the form post data at that point.

    I think you are better to intercept the user on the http:/... checkuser.php and redirect them to the https:/... secureuser.php

    Either use a redirect with java script, or the http header redirect.
    <?
    header('Location: https://domain.com/secure/');
    ?>
    or redirect using .htaccess file or http.config file with an Apache server.
    redirect-to-ssl-using-apaches-htaccess
    ~

    Bill

  3. #3
    Join Date
    Dec 2003
    Posts
    61
    Thanks for the reply.
    I see what you are saying, but have you see US Bank's website?
    www.usbank.com

    I use it to login to my bank account. The main page at USbank.com has the login screen and it's not SSL.

    It authenticates in an https webpage after you submit the username and password.
    You can try it out by making up a username and password and you can see what I mean.

    hotmail is the same way. The main page of hotmail has the username and password fields, but it's not https. After you hit submit or login, you then go to the SSL pages....

    Are those hotmail and usbank not securing the username and password authentication?

  4. #4
    Join Date
    Feb 2004
    Posts
    533
    I would be concerned about your bank login. Use the links found on

    http://www.usbank.com/cgi_w/cfm/acct_login.cfm

    Which redirect to a secure https path.

    As for hot mail and yahoo mail there is a line to switch to a secure login. I don't usually use the https email, just depends on how paranoid you are about your email. If I had to use it in a web cafe or something I'd more likely use https mail.

    Here's an interesting descussion on bank login URL=http://www.squarefree.com/2005/05/28/banks-and-https/]banks-and-https[/URL]
    ~

    Bill

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •