https without certificate still secure?

**orionoreo** · 07-22-2009, 04:27 AM

So I have these files which I forced into SSL using rewrite, but because the rewrite also has to turn off https for other files the certificate is not correctly loaded for the pages.

since the user is still on https://www.blah blah blah... is the encryption still working?

**interzine** · 07-22-2009, 05:42 AM

Of corse not, the S in httpS identidy the Certificate, if it don't exist or disabled, an error message will appear .. certainly on Forefox and Chrome don't know on IE ..

**damien_ls** · 07-22-2009, 06:37 AM

Assuming that the error is as you describe (i.e. mixture of secure and non-secure items) then yes, the 'secure' items should still have encryption applied - as interzine mentioned, those loaded via http (rather than https) are not encrypted.

However, I don't understand why you'd go to the expense of purchasing an SSL certificate and then not adjust the pages accordingly to ensure the ones you intend to secure are actually presented as such.

I assume that you have some sort of user facing project with this (e.g. ecommerce, login forms or whatever) and therefore the CA issued certificate is primarily for their confidence; you could use a self-signed certificate perfectly well if it's only for your own benefit...

**orionoreo** · 07-22-2009, 01:54 PM

damien, the cert loads fine for all the subfolders but for those two particular files the cert doesn't show up...

I used a htaccess code i found similar on a few forums and tweaked it for my site... loads https fine but the cert doesn't just want to ensure things are still encrypted tho

**damien_ls** · 07-23-2009, 06:50 AM

This might make more sense if you could post the domain name in question (e.g. the URLs which aren't working and an example of one that does), and also the contents of your .htaccess.

I'm sure then someone on this wonderful forum will be able to spot the problem and help you correct it

**orionoreo** · 07-23-2009, 03:22 PM

damien... thanks for the help, I was trying to do some sample pages to replicate my situation but it didn't happen... because it worked... so i knew something must be wrong with my coding..

turns out the _login.php was being kicked into https but the src= files in the header were not... so the scripts and the css was reverting back to non ssl... to resolve... force the other directories into ssl aswell when loading:

Code:

# Turn On HTTPS for SSL Pages
RewriteCond %{SERVER_PORT} !^443$ 
RewriteCond %{REQUEST_URI} ^/(admin/?|secure/?|Scripts/?|css/?|_login\.php$|_login\.htm$|forgot_password\.php$|forgot_password\.htm$) 
RewriteRule ^(.+)$ https://%{HTTP_HOST}/$1 [R=301,QSA,L] 

# Turn off HTTPS for Non-SSL Pages
RewriteCond %{SERVER_PORT} !^80$ 
RewriteCond %{REQUEST_URI} !^/(admin/?|secure/?|Scripts/?|css/?|_login\.php$|_login\.htm$|forgot_password\.php$|forgot_password\.htm$) 
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,QSA,L]