I have been looking through the reference, webinars and such but have not come across an example of, say, a SC application reading a username and password securely or a macro that changes to and from a secure connection. How is this done? I am grateful for any pointers and especially examples.
S.
Its the same way under HTTPS and http. You don’t have to do anything especial, HTTPS ensures itself to protect. Just enable you SSL
… but the only SC macro that is concerned with SSL, sc_site+ssl, only works under IIS.
I was wondering if SC had anything native I could use instead of just getting into the raw PHP.
Any examples would be appreciated.
S.
[QUOTE=Sean H.;39386]… but the only SC macro that is concerned with SSL, sc_site+ssl, only works under IIS.
I was wondering if SC had anything native I could use instead of just getting into the raw PHP.
Any examples would be appreciated.
S.[/QUOTE]
I don’t think a macro is needed.
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
// no SSL request
}
[QUOTE=Giu;39392]I don’t think a macro is needed.
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
// no SSL request
}
[/QUOTE]
There is nothing special about running under https. We have several applications running under it and no issues at all. Afaik the scriptcase macro’s are to detect if the application is running under https, but why should you bother? After all you’re installing it under https so as long as the certificates are valid there’s no need to do checks in your software.
I basically force all http traffic to https on the server hosting the app and I think that’s safest. Problem is my /_lib URL which returns a blank page with https.
How do you handle this?
Also it’s obviously safer to use htaccess to prevent casual access to /_lib by unknown IP addresses but is it possible to rename _lib entirely in production SC so its far more difficult for a hacker familiar with SC architecture?
[QUOTE=scriptcaser;39404]I basically force all http traffic to https on the server hosting the app and I think that’s safest. Problem is my /_lib URL which returns a blank page with https.
How do you handle this?
Also it’s obviously safer to use htaccess to prevent casual access to /_lib by unknown IP addresses but is it possible to rename _lib entirely in production SC so its far more difficult for a hacker familiar with SC architecture?[/QUOTE]
You mean that you can’t connect to the setup? Just enter the full url manually.
[QUOTE=scriptcaser;39404]I basically force all http traffic to https on the server hosting the app and I think that’s safest. Problem is my /_lib URL which returns a blank page with https.
How do you handle this?
Also it’s obviously safer to use htaccess to prevent casual access to /_lib by unknown IP addresses but is it possible to rename _lib entirely in production SC so its far more difficult for a hacker familiar with SC architecture?[/QUOTE]
Didn’t tried with https, but if you problem is, when you access /_lib you finish on a blank page here /_lib/prod/lib/php/?login just try adding index.php before ‘?’ … like this /_lib/prod/lib/php/index.php?login
This fails too out of SSL
You are both right: the direct URL works and it’s not protected by SSL. But is this a good practice? How are you securing your _lib in production environment over the 'net?
No, you can also use https for this screen. In fact, if you are running under apache you have a https directory for your site and you can only run this under https.
This is what I used:
function use_https()
{
if ( ! isset($_SERVER[‘HTTPS’])) {
header(‘Location: https://’ . $_SERVER[“SERVER_NAME”] . $_SERVER[‘REQUEST_URI’]);
}
}
function use_http()
{
if ( isset($_SERVER[‘HTTPS’])) {
header(‘Location: http://’ . $_SERVER[“SERVER_NAME”] . $_SERVER[‘REQUEST_URI’]);
}
}
Thanks for your feedback.