Dieses Dokuwiki verwendet ein von Anymorphic Webdesign erstelltes Thema.

Force SSL Logins

In order to maintain PCI compliance, your login.php page cannot allow un-encrypted logins. Currently, even if you have SSL installed on your domain, if someone manually enters in a non-ssl url like:

http://www.somesite.com/login.php

They will be allowed to login without encryption, which is a bad thing.

To remedy this issue and force SSL regardless of the url entered in the browser is a simple matter. Edit login.php in your main catalog directory and add the following code at the very top of the file, just under the opening <?php tag:

    if( $_SERVER['SERVER_PORT'] == 80) {
        header('Location:https://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/'.basename($_SERVER['PHP_SELF']));
        die();
    }


This code automatically forces all HTTP/NONSSL url requests to use SSL, so there is no way to use an un-encrypted login on that page. This will allow you to pass your PCI scans for logins.

  • Bookmark at
  • Bookmark "Force SSL Logins" at Digg
  • Bookmark "Force SSL Logins" at Furl
  • Bookmark "Force SSL Logins" at Reddit
  • Bookmark "Force SSL Logins" at Google
  • Bookmark "Force SSL Logins" at StumbleUpon
  • Bookmark "Force SSL Logins" at Technorati
  • Bookmark "Force SSL Logins" at Facebook
  • Bookmark "Force SSL Logins" at Twitter
  • Bookmark "Force SSL Logins" at Slashdot
forcessl.txt ยท Last modified: 2009/11/01 09:33 by michael_s
You are here: startforcessl
Dieses Dokuwiki verwendet ein von Anymorphic Webdesign erstelltes Thema.
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0