Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7

Thread: SSL Question

  1. #1
    New Coder
    Join Date
    Feb 2003
    Location
    Toronto, ON
    Posts
    50
    Thanks
    0
    Thanked 0 Times in 0 Posts

    SSL Question

    I have a quick question about SSL...if the form I'm entering data on is http, and the script it's being submitted to is https...does that make it secure? Or do both the form, and the destination script have to be https?

    Thanks
    Thodyconsulting.com

  • #2
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Not sure, I'd put them both on the secure server just to make sure, as I think the form could be intercepted otherwise without it being encoded

  • #3
    New Coder
    Join Date
    Apr 2004
    Location
    Texas
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts

    You only have to post as https

    There is no client info in the form itself on the server, so http is fine for serving that up. The user enters data on the client side and that data doesn't get transmitted back to the server until POST. As long as you post as HTTPS, you're secure, the form needn't be served via https.

    Regards,
    Jason.

  • #4
    Regular Coder dniwebdesign's Avatar
    Join Date
    Dec 2003
    Location
    Carrot River, Saskatchewan
    Posts
    844
    Thanks
    15
    Thanked 9 Times in 9 Posts
    If you don't mind be asking but is there any article that you can show to prove that. I am working on a bank website and want to add a log-in on their front page (non-secure) to log into internet banking (secure), but they are unsure about the security. This will help prove my point that it is okay, just as long as when the user clicks submit it is sent to a secure server. Thanks.
    Dawson Irvine
    CEO - DNI Web Design
    http://www.dniwebdesign.com

  • #5
    Regular Coder dniwebdesign's Avatar
    Join Date
    Dec 2003
    Location
    Carrot River, Saskatchewan
    Posts
    844
    Thanks
    15
    Thanked 9 Times in 9 Posts
    If you don't mind be asking but is there any article that you can show to prove that. I am working on a bank website and want to add a log-in on their front page (non-secure) to log into internet banking (secure), but they are unsure about the security. This will help prove my point that it is okay, just as long as when the user clicks submit it is sent to a secure server. Thanks.
    Dawson Irvine
    CEO - DNI Web Design
    http://www.dniwebdesign.com

  • #6
    Regular Coder dniwebdesign's Avatar
    Join Date
    Dec 2003
    Location
    Carrot River, Saskatchewan
    Posts
    844
    Thanks
    15
    Thanked 9 Times in 9 Posts
    Sorry for double posting... I still saw the form sitting here filled out so I thought I forgot to press Submit...
    Dawson Irvine
    CEO - DNI Web Design
    http://www.dniwebdesign.com

  • #7
    New Coder
    Join Date
    Apr 2004
    Location
    Texas
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts

    perhaps this will clarify

    Sorry, but I don't have an article to "prove" that. If you have a solid understanding of the http protocol this should be self evident. I worked at IBM for 3 years supporting webservers if that helps for my credibility, and I'm a principal CLP for Lotus Domino Server.

    When a user visits a web page for instance www.acme.com
    their browser will perform GET http://www.acme.com
    The server sees this request and sends the requested data (web page)
    to the browser on the client machine. The client browser (IE, Netscape, etc..) then interprets the HTML returned and displays it accordingly.

    So, when your users visits the page containing your form the above will happen. The information is sent unencrypted, but that's ok, because the client hasn't yet entered any information into the form(it's just a blank form). Once the Client browser recieves the html which constitues a form, the browser displays the form on the client.

    The user fills in the form (which at that point is in the memory of his local browser, not on the server). When, and only when the user clicks submit, does the information he has entered get sent to the server. This is done via the POST method of the form. Your Form Action will contain the page to which it gets posted.

    So unless you feel you need to encrypt an empty form, you needn't worry about it. As long as you POST to an HTTPS page, the user never sends any sensitive information in the clear.

    If, however, you are pulling information from a database and pre-populating sensitive data into the form before sending the form to the users, then you should by all means be sure to serve that form up via https.

    HTTP is a client/server protocol
    Client requests data(page) via GET
    Server sends data to client
    client displays the data it received(page) to user.
    User enters information into locally downloaded page.
    User clicks submit.
    Client performs POST to address specified in Action
    Data gets sent from client to server.
    If posted via HTTPS, data is sent to server encrypted.

    Hopefully that clarifies somewhat. Let me know if you still have questions.

    Thanks,
    Jason


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •