Secure Sockets Layer (SSL)Another way we can protect ourselves in conjunction with our web server is to use what is known as the Secure Sockets Layer, or SSL (see the "Secure Sockets Layer (SSL)" section in Chapter 13, "Web Applications and the Internet"). While it will not solve all of our security problems, it is an extremely useful tool for encrypting traffic between the client and server and giving us an added degree of protection. Using SSL in PHPThere are three parts to using SSL in our web applications: setup, getting a certificate, and using SSL in code. SetupIndividual web servers have different means by which they use SSL and install and configure digital certificates. For Apache HTTP Servers in the 1.3.x version range, it is a process that involves many different source packages, while Microsoft's IIS and Apache HTTP Server 2.0.x support it natively. You should consult the documentation for the SSL implementation you plan to use for details on how to perform the installation. Also, you can look in Appendix A, "Installation/Configuration," for more information on setting up web servers and PHP. These installations will give you a temporary test certificate with which to work. Obtaining a CertificateSince signing authorities (also called certificate authorities, or CAs) are organizations in the business of offering you trust and security, they are also in the business of making money off that act. Thus, certificates are rarely free, and can end up being quite expensive in some cases. You are encouraged to shop around and look at the various signing authorities, see what other people are using, and look at what CAs your client browsers support. If you find a great CA with extremely cheap prices, but none of the client browsers has its public certificate, your users might be alarmed by the message that says the certificate does not come from a known or trusted CA. Each CA has detailed instructions on how to include the certificates it gives you in the specific web server/SSL environment you are operating. Fortunately, you do not have to pay for one of these certificates to test and develop your applicationall of the SSL server implementations come with a means of generating test certificates. These generate dire security warnings in client web browsers and should not be used in production environments; however, they are acceptable for development and testing purposes. Using SSL and HTTPS from Within CodeOne of the nicest things about SSL is that we barely notice it within our PHP scripts. It is a transport-level protocol, meaning it is encrypting all HTTP traffic while the rest of the operations of the web remain unchanged. When we want to refer to a page users should connect to with SSL, we use https:// instead of http://the little s being all the difference in the world. Thus, we could have the following in one of our pages: <a <a href='https://myecommercesite_uri/process_checkout.php'> Checkout </a> Finally, to be sure that we are communicating over an encrypted connection, we can use the $_SERVER superglobal array to consult the HTTPS value inside it:
<?php
if ($_SERVER['HTTPS'] == 'off')
{
echo "THIS IS NOT A SECURED CONNECTION!";
exit;
}
?>
However, we will hardly notice that we are using SSL as we write our web applications. |