: SSL / https login from a non-secure (http) page I am setting up a login page, and I have some security questions / concerns. I have a login form (username, password) on a NON-secure page,

@Eichhorn148

Posted in: #Https #Php

I am setting up a login page, and I have some security questions / concerns.

I have a login form (username, password) on a NON-secure page, let's say:
www.example.com/login.php


When the user fills in the form and clicks the "Submit" button,
the form POST's a "clear-text" query-string to a secure page: somethingelse.example.com/post.php or entirelydifferent.otherdomain.com/post.php
The login form is a standard html form like:

<form method="post" action="https://somethingelse.example.com/post.php>
...
</form>


So, the "query-string" is clear-text (not obfuscated or encrypted in any
way), but I'm sure (I hope) the process of doing a "post" to an "https:"
url will encrypt the query-string.

The code in "post.php" validates the username and password in the form data, and redirects to a NON-secure page based on success or fail: www.example.com/success.php or www.example.com/fail.php (or perhaps back to www.example.com/login.php)

Is this a proper (secure) setup for "https:" login process, or does this cause security or other issues ?

Should one or more of the "http:" pages (login.php, success.php, fail.php) be changed to "https:" (secure) pages ?

Is it an issue (security or otherwise) if the sub-domain or domain changes between the various steps in the example ?

Is it required by the process for certain of these pages to be on the same domain and the same sub-domain ?

Also, it should be noted that I am not handling any critical data like credit card numbers on any pages.

Vote Up Vote Down

Login to post a comment!