Dieses Dokuwiki verwendet ein von Anymorphic Webdesign erstelltes Thema.

This is an old revision of the document!


Force SSL Logins

In order to maintain PCI compliance, your login.php page cannot allow un-encrypted logins. Currently, even if you have SSL installed on your domain, if someone manually enters in a non-ssl url like:

http://www.somesite.com/login.php

They will be allowed to login without encryption, which is a bad thing.

To remedy this issue and force SSL regardless of the url entered in the browser is a simple matter. Edit login.php in your main catalog directory and add the following code at the very top of the file, just under the opening <?php tag:

    if( $_SERVER['SERVER_PORT'] == 80) {
        header('Location:https://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/'.basename($_SERVER['PHP_SELF']));
        die();
    }


This code automatically forces all HTTP/NONSSL url requests to use SSL, so there is no way to use an un-encrypted login on that page. This will allow you to pass your PCI scans for logins.

  • Bookmark at
  • Bookmark "Force SSL Logins" at Digg
  • Bookmark "Force SSL Logins" at Furl
  • Bookmark "Force SSL Logins" at Reddit
  • Bookmark "Force SSL Logins" at Google
  • Bookmark "Force SSL Logins" at StumbleUpon
  • Bookmark "Force SSL Logins" at Technorati
  • Bookmark "Force SSL Logins" at Facebook
  • Bookmark "Force SSL Logins" at Twitter
  • Bookmark "Force SSL Logins" at Slashdot
forcessl.1257089572.txt.gz ยท Last modified: 2009/11/01 09:32 by michael_s
You are here: startforcessl
Dieses Dokuwiki verwendet ein von Anymorphic Webdesign erstelltes Thema.
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0