Using SSL Authentication on a non-SSL website
The task is to provide a secure login on a website which doesn’t necessarily have any other secure content. If you have an SSL certificate for your webserver you can use SSL just for the login to reduce the traffic going over SSL.Here is a basic login page which contains a form that directs the user to a login script over SSL.
-
<html>
-
<head>
-
<title>Test SSL</title>
-
</head>
-
<body>
-
<form method=“post” action=“https://yoursite.com/loginssl.php”>
-
Username:<input type=“text” name=“username”/><br/>
-
Password:<input type=“password” name=“password”/><br/>
-
<input type=“submit”/>
-
</form>
-
</body>
And here is a login script written in PHP that will redirect the user back to the login if they fail to authenticate or to the secure portion of the site if they succeed. It sets a session variable which should be checked for on each secure page.
-
<?php
-
ob_start();
-
-
$login_success_url = “http://yoursite.com/secure/”;
-
$login_failure_url = “http://yoursite.com/login.php”;
-
-
if (authenticate($_POST['username'],$_POST['password']))
-
{
-
// Register the required session variables:
-
session_register(‘userid’);
-
$_SESSION['userid'] = $_POST['username'];
-
$location = $login_success_url;
-
}
-
else
-
{
-
$location = $login_failure_url;
-
}
-
/* redirect user to appropriate location */
-
header(“Location: “.$location);
-
?>
-
<!– This HTML should never be displayed –>
-
<html>
-
<head>
-
<title>Your Site Login</title>
-
</head>
-
<body>
-
<p>Redirecting to <a href=“<?php echo $location ?>”><?php echo $location ?></a></p>
-
</body>
-
</html>
-
<?php ob_end_flush(); ?>
Replace the authenticate function with your own authentication scheme.