[development] SSL pages tough or easy?

Sam Tresler sam at treslerdesigns.com
Fri Jul 30 16:30:29 UTC 2010

   I realize I'm a little late, but thought I would chime in on this.  In my opinion, in this case doing this through a php header redirect is a poor practice.  I don't know the sensitivity of your data, but the point of having an SSL both for verification and encryption of the transmitted data.  If the url is being switched inside the webroot, as opposed to a layer above, then any other compromised part of the webroot could potentially undo that. I know the line of logic usually lies in 'if they can do that, then you have bigger issues', but in this case I disagree.  Apache comes with configuration options for this situation, forcing it through php is hacking around apache config.

   If you configure this in your vhost, or less preferably, your .htaccess file directly you make it invulnerable to most security exploits that can be enacted through the browser.  Otherwise, you create a big 'what if' situation.

   Now, if your information is truly sensitive, I would recommend isolating it to its own subdomain, and potentially its own machine available only on the local network, but for this application that may be overkill.

   Just my $0.02, but I would use a drupal module for SSL, well never, but if I had to I would use it only on non-sensitive things that I just happened to want SSL on.

     Sam Tresler

On Mon, 26 Jul 2010, Steve Edwards wrote:

> http://drupal.org/project/securepages
> On Jul 26, 2010, at 2:15 PM, Dayton Perkins wrote:
>> I have come here before and I would just like to say I really appreciate this group/board.
>> I have a potential client that wants several pages to include SSL exchange of payroll information. I have not implemented secure pages in Drupal(6).
>> I would appreciate input about this. I have seen a module to secure registration and login before. I am tempted to script it, but...
>> Thank You,
>> --
>> Kindest regards, Dayton Perkins
>> Good News Design
>> Intelligent Web Programming for Business
>> 3611 Butternut Drive, Suite 40
>> Holland MI 49424
>> 616-399-5617
>> http://goodnewsdesign.com
>> <animatedlogo.gif>

Sam Tresler

More information about the development mailing list