Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Adding SSL security to a website - the basics

Oct 21, 2008 8:15PM PDT

Hi, I am developing a small time e-commerce website. We sell a single product, and we are using PayPal and GoogleCheckout to process the orders. We will not be storing any financially sensitive info on our server. My problem is that we want to implement SSL protection for the logging in stage i.e. the customer has an account with us, and in order to log in and look at their details we want it to be under https. Unfortunately I have no experience with SSL.

I have asked a friend who has suggested that we purchase a Thawte SSL certificate from our server provider. He then said that the best practice is to register another domain name in addition to our current one e.g. secure.domain.com and then make everything that needs securing fall under that.

Now I have attempted to pre-empt this by developing the website such that all the files that need ssl protection (e.g. login.php) are in a subdirectory off the root called SECURE. Will it be possible to setup these domains so that I have this secure portion of my website simply working on the files in the sub directory?

Any hints/tips greatly appreciated!

Discussion is locked

- Collapse -
Yes
Oct 22, 2008 11:32AM PDT

Just remember that anything within those pages has to be referenced using https://

For an even better understanding on how it works, read this http://www.ironflare.com/docs/ssl.html

~Sovereign

- Collapse -
yes you can
Oct 23, 2008 3:24AM PDT

A SSL Certificate can really be purchased from a number of providers. Thawte is one of the biggest ones that everyones goes to, but is a bit more expensive. I get my SSL cert from Domains at Retail ( http://www.domainsatretail.com/securessl.html ). For what you are doing, you really only need a Standard SSL Certificate. If you want you can up to the Deluxe certificate, but not necessary. For a video, check out http://www.domainsatretail.com/blog/2007/11/12/how-to-set-up-hosting-with-an-ssl-certificate/. Anyways, that's one of the easier things to get set up.

As for you question about folders, you most definately can set it up to only make one folder use SSL. I'm not sure if you are using Linux Hosting? If you are you can through your .htaccess file force people to view files within a certain directory to be https://. I did this for a client of mine who wanted his whole site to be https:// and if they typed http:// it would be redirected to the same page with https://.

Quick google search found this site:
http://www.besthostratings.com/articles/force-ssl-htaccess.html

You would basically create a file .htaccess in the folder you want to force SSL on, and put this code into the file:

RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} somefolder RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]

The .htaccess file should be placed in the folder where you need to force HTTPS.

Of course just change domain.com and somefolder Happy Simple enough though and its never to late to put SSL.