Secure Pages feature

In order to offer secure pages on a site we need to offer customers to (1) create a key for their new SSL certificate, (2) get an IP address, (3) install their signed certificate.

Then one can mark a page as secure meaning that whenever someone tries to access that page, the Redirect feature forces a redirect to the secure version of the page if accessed via HTTP instead of HTTPS (the Redirect feature works in concert with the Secure Pages feature.)

See: Redirection feature

To Think About

At this time I'm thinking that the implementation of Redirect will be to (1) check whether there is a redirection in the page, if not, (2) give other modules a way to dynamically define a redirection; at that point the Secure Pages module checks whether HTTPS is 'on', if not, it returns the current URI with the new protocol as the place to go to. This leaves the door open to problems such as: what if 2 modules answer the call... should we go here or there?

IMPORTANT NOTE ABOUT SECURITY

There is a script called sslstrip which can be used by a hacker to hijack a session and retrieve passwords, credit card numbers, and more when a website generates a redirect from HTTP to HTTPS. When that happens, the user loses his cookie, but the worst part is, he loses any and all tokens that go on his connection without actually knowing it (in many cases.)

Snap! Websites
An Open Source CMS System in C++

Contact Us Directly