web application with secured sections, sessions and related trouble

Posted by spirytus on Stack Overflow See other posts from Stack Overflow or by spirytus
Published on 2010-05-12T01:31:55Z Indexed on 2010/05/12 11:54 UTC
Read the original article Hit count: 260

Filed under:
|
|
|

I would like to create web application with admin/checkout sections being secured. Assuming I have SSL set up for subdomain.mydomain.com I would like to make sure that all that top-secret stuff ;) like checkout pages and admin section is transferred securely. Would it be ok to structure my application as below?

subdomain.mydomain.com
    adminSectionFolder
        adminPage1.php
        adminPage2.php
    checkoutPagesFolder
        checkoutPage1.php
        checkoutPage2.php
        checkoutPage3.php
    homepage.php
    loginPage.php
    someOtherPage.php
    someNonSecureFolder
        nonSecurePage1.php
        nonSecurePage2.php
        nonSecurePage3.php
    imagesFolder
        image1.jpg
        image2.jpg
        image3.jpg

Users would access my web application via http as there is no need for SSL for homepage and similar. Checkout/admin pages would have to be accessed via https though (that I would ensure via .htaccess redirects). I would also like to have login form on every page of the site, including non-secure pages. Now my questions are:

  1. if I have form on non-secure page e.g http://subdomain.mydomain.com/homepage.php and that form sends data to http://subdomain.mydomain.com/loginPage.php, is data being send encrypted as if it were sent from https://subdomain.mydomain.com/homepage.php? I do realize users will not see padlock, but browser still should encrypt it, is it right?

  2. If on secure page loginPage.php (or any other accessed via https for that instance) I created session, session ID would be assigned, and in case of my web app. something like username of the logged in user. Would I be able to access these session variable from http://subdomain.mydomain.com/homepage.php to for example display greeting message? If session ID is stored in cookies then it would be trouble I assume, but could someone clarify how it should be done? It seems important to have username and password send over SSL.

  3. Related to above question I think.. would it actually make any sense to have login secured via SSL so usenrame/password would be transferred securely, and then session ID being transferred with no SSL? I mean wouldnt it be the same really if someone caught username and password being transferred, or caught session ID? Please let me know if I make sense here cause it feels like I'm missing something important.

EDIT: I came up with idea but again please let me know if that would work. Having above, so assuming that sharing session between http and https is as secure as login in user via plain http (not https), I guess on all non secure pages, like homepage etc. I could check if user is already logged in, and if so from php redirect to https version of same page. So user fills in login form from homepage.php, over ssl details are send to backend so probably https://.../homepage.php. Trying to access http://.../someOtherPage.php script would always check if session is created and if so redirect user to https version of this page so https://.../someOtherPage.php. Would that work?

4.To avoid browser popping message "this page contains non secure items..." my links to css, images and all assets, e.g. in case of http://subdomain.mydomain.com/checkoutPage1.php should be absolute so "/images/image1.jpg" or relative so "../images/image1.jpg"? I guess one of those would have to work :)

wow that's long post, thanks for your patience if you got that far and any answers :) oh yeh and I use php/apache on shared hosting

© Stack Overflow or respective owner

Related posts about ssl

Related posts about session