PHP Security and Encryption Detecting SSL - Supercoders | Web Development and Design | Tutorial for Java, PHP, HTML, Javascript PHP Security and Encryption Detecting SSL - Supercoders | Web Development and Design | Tutorial for Java, PHP, HTML, Javascript

Breaking

Post Top Ad

Post Top Ad

Wednesday, June 26, 2019

PHP Security and Encryption Detecting SSL

PHP Security and Encryption



Detecting SSL


Problem

You want to know if a request arrived over SSL.

Solution

Test the value of $_SERVER['HTTPS']:

       if ('on' == $_SERVER['HTTPS']) {
          echo 'The secret ingredient in Coca-Cola is Soylent Green.';
       } else {
          echo 'Coca-Cola contains many delicious natural and artificial flavors.';
       }

Discussion

SSL operates on a lower level than HTTP. The web server and a browser negotiate an appropriately secure connection, based on their capabilities, and the HTTP messages can pass over that secure connection. To an attacker intercepting the traffic, it’s just a stream of nonsense bytes that can’t be read.

Different web servers have different requirements to use SSL, so check your server’s documentation for specific details. No changes have to be made to PHP to work over SSL.

In addition to altering code based on $_SERVER['HTTPS'], you can also set cookies to be exchanged only over SSL connections. If the last argument to setcookie() is true, the browser sends the cookie back to the server only over a secure connection:

       /* Set an SSL-only cookie named "sslonly" with value "yes" that expires at the
           end of the current browser session. */
       if ('on' === $_SERVER['HTTPS']) {
            setcookie('sslonly', 'yes', 0, '/', 'example.org', true);
       }

Although the browser sends these cookies back to the server only over an SSL connection, the server sends them to the browser (when you call setcookie() in your page) whether or not the request for the page that sets the cookie is over SSL. If you’re putting sensitive data in the cookie, make sure that you set the cookie only in an SSL request as well. Also, keep in mind that the cookie data is unencrypted on the user’s computer.


No comments:

Post a Comment

Post Top Ad