So I was wondering how to have ssl and non ssl all in the same directory...

say I buy a cert for www.mydomain.com... and all I want to do is execute ssl on https://www.mydomain.com/login.php how do I do so... or do i have to get it in a folder https://www.mydomain.com/secure/login.php if so do i need to get the ssl for the subdir secure or just the domain...

very new to the ssl thing

Quote:

Originally Posted by orionoreo

I want to do is execute ssl on https://www.mydomain.com/login.php how do I do so...

If you want to execute ssl for the above URL, then you would need to install it on your main domain with www as https:/www.mydomain.com. You can use this SSL certificate on all your folders and files as https://www.mydomain.com/login.php.

You cannot use the SSL certifcate installed on https://www.mydomain.com to your subdomain as https://secure.mydomain.com. You will have to purchase seperate ssl certificate for your subdomain.

cool so if i have the ssl for www.mydomain.com it doesn't matter if I set the ssl and non-ssl to be housed in separate folders or not correct?

SSL certificates usually match (exactly) one domain name. For example that may be www.domain.com (which would secure https://www.domain.com). This would give certificate mismatch browser warnings/errors for https://domain.com https://subdomain.domain.com etc.

Anything which comes after the domain name in a URL (e.g. in https://www.domain.com/some/folders/index.php I'm referring to the /some/folders/index.php part) is irrelevant regarding the (in)validity of the SSL certificate - it only concerns the actual domain/subdomain in question.

Note also that there are some certificate authorities which will issue a certificate valid for www.domain.com and domain.com (in a single certificate) which will help avoid accidental mismatch warnings. Likewise you can also pay a bit extra and buy wildcard SSL certificates which would be valid for *.domain.com (e.g. you can use this certificate to secure multiple subdomains of domain.com). However, you will usually have to pay extra if you want to use a certificate across multiple servers at once.

With that background out of the way, let me answer your specific questions:

Quote:

Originally Posted by orionoreo

So I was wondering how to have ssl and non ssl all in the same directory...

say I buy a cert for www.mydomain.com... and all I want to do is execute ssl on https://www.mydomain.com/login.php how do I do so... or do i have to get it in a folder https://www.mydomain.com/secure/login.php if so do i need to get the ssl for the subdir secure or just the domain...

very new to the ssl thing

Quote:

Originally Posted by orionoreo

cool so if i have the ssl for www.mydomain.com it doesn't matter if I set the ssl and non-ssl to be housed in separate folders or not correct?

This is correct as far as the SSL certificiate issue is concerned. However, you may want to have some control over whether your visitors access a certain page via SSL or not. For example if you want to use SSL on your login page you probably wouldn't want your visitors to accidentally use http://www.mydomain.com/login.php instead of https://www.mydomain.com/login.php - this would be possible (by default) if you house all of your content (SSL and non-SSL) together.

On the other hand, if you have SSL and non-SSL directories in use, you will probably need to duplicate some content. For example, your site logo and CSS files etc.

This is because every item loaded into an SSL secured page needs to be over https, so if you load up your images using

Code:

<img src=http://www.mydomain.com/images/logo.jpg</img>

you would find that browsers still give out a warning/error message (exactly what/how this is displayed varies quite a lot between different browsers). This might not be too much of a headache for images, but for your CSS file you might make more frequent changes to this, and therefore it can be a pain to (try to remember to) upload it into two places.

Therefore another option might be to house all content in a single directory, but add a .htaccess file (assuming you're using an Apache server) with a rule to force accesses for http://www.mydomain.com/login.php onto https://www.mydomain.com/login.php

This can of course get quite tedious, so if you have several pages to secure it might actually be beneficial to have them as something like https://www.mydomain.com/secure/login.php which would make the rewrite rule easier (i.e. you could have a rewrite rule which says anything with 'secure' in the URL should be accessed only via https).

damien... I finally got the whole https and http thing working last night but as you said i had to duplicated not only the template files but the includes as well... you rewrite solution seems like something i want to run a few tests on but i have a hunch that's the method i will use...

thanks so much for the help... I'll update on my results

so its working now... i have two pages in ssl and two folders... the folders work fine but the files don't

the files are forwarded to https but the certificate is not recognize... and this is due to the code switching non ssl pages back to http... without that part the certificate works fine... any ideas?

htaccess

Code:

# Turn On HTTPS for SSL Pages
RewriteCond %{SERVER_PORT} !^443$ 
RewriteCond %{REQUEST_URI} ^/(admin/?|secure/?|_login\.php$|_login\.htm$|forgot_password\.php$|forgot_password\.htm$) 
RewriteRule ^(.+)$ https://%{HTTP_HOST}/$1 [R=301,QSA,L] 

# Turn off HTTPS for Non-SSL Pages
RewriteCond %{SERVER_PORT} !^80$ 
RewriteCond %{REQUEST_URI} !^/(admin/?|secure/?|_login\.php$|_login\.htm$|forgot_password\.php$|forgot_password\.htm$) 
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,QSA,L]