Results 1 to 6 of 6
  1. #1

    secure https directory accessable with http

    With my reseller account, I had my hosting company set up a secure directory (purchased an ssl cert, named which directory to secure).

    I created a link to this area where users can fill out secure forms, etc. The link is to htps://blahblah...

    I notice that I can still type htp://blahblah... and get to the directory. This is not terrible, as I have no link there in the web application I am building. However, there is a subdirectory for administration by my client, in which vital data is accessed. I password protected it, but it is still possible my client could type http (rather than htps) to access the area, password or not. This would send data over cleartext.

    Is there a way to prevent http access of a secure directory?

    Thank you

  2. #2

    https not htps

    I know correct syntax - I had to use the abbreviation in the code because of the automatic rules for new posters on this bulletin - it thought I was trying to place a link in which is not allowed for five posts by new member.

  3. #3
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,159
    All webservers have the https and http virtual hosts pointing to different directories, so you have to copy files you want to view to both directories (eg, an online shop where youu can browse the store in http, but login using https and still be able to view the store without having the 'some files are not secured'; warning pop up requries all files to be copied to the secure side of the store). So, some give you the option to make a soft link so both http and https use a single directory for all the files.

    It sounds like this has happened for you, and the answer is to split these directories so the files simply are not there to view when a http connection is made. I recommend contacting your host and making sure that you have a separate area where https files are stored.
    Do not meddle in the affairs of Dragons, for you are crunchy and taste good.

  4. #4
    Or you add a redirect to https page whenever someone tries to access your secure page using http
    SupportPRO.com -Transparent Technical Support for Webhosts
    Let the PROs handle your support

  5. #5

    best solution?

    I think I understand the replies. Is creating a redirect a solid solution if the hosting company is unwilling to create seperate directories?
    - If so, should I do this in php on the server side or javascript on a page in the directory?
    - Do you have any idea about the code I would be using (I am not an expert at scripting). I would guess it has to do with analyzing the uncoming header on the http request.

  6. #6
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,159
    The redirect is already created - that's your problem.

    To redirect http elsewhere, you'd change the directory associated with the vhost entry for port 80 to something different.

    I think adding a redirect requires a change to the html page - look at the META tag refresh to redirect to the https page. I do not know how to make it redirect to the same page on https, if the incoming connection is http though.
    Do not meddle in the affairs of Dragons, for you are crunchy and taste good.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •