jbenamy wrote:
login.php admin.php reset.php (and any queries on those) to redirect to HTTPS version.
If you're getting a redirect loop, RewriteCond is your friend.
Code:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off # The following rules only take effect if HTTPS is off
RewriteCond $1 ^(login|admin|reset)\.php
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L]
I'm not sure if these exact rules will work in your case, because there are lots of other things that might affect Apache's behavior. But your rules should look something like that.
jbenamy wrote:
All other pages should redirect to HTTP if they are accessed on HTTPS.
Nope, I'm not going to tell you how to do that, because that would be irresponsible.
If you access your site over an insecure wifi connection, log in over HTTPS, and then access even a single page on the same domain over plain HTTP (like testing something while doing admin tasks in another tab), you've just eliminated the benefit of logging in over HTTPS. The only way your server can tell whether or not you've logged in is with a cookie. That cookie can be stolen if you access the same domain over plain HTTP after logging in. If an attacker has the cookie, they don't even need to know your password.
So, unless you want to use a secure cookie that keeps logging you out whenever you hit an HTTP page, the only solution is to keep using HTTPS until you log out. In other words, it's perfectly OK to redirect from HTTP to HTTPS, but very dangerous to redirect from HTTPS to HTTP. The only place where it's OK to redirect from HTTPS to HTTP is the logout page.
FAQ
Search
Members
Register
Login [ Anonymous ]
