Concerns about logging in on an HTTP page

Okay, let’s see if I can make my question clear!

The home page on my website is HTTP://

And pages like “Registration” are HTTPS://

But here is the problem…

If you go to “www.MySite.com” you will be landing on an HTTP page, however, my home page also has a “Log In” form off to the side.

Two things…

1.) I suppose that is okay from a security standpoint, because my form reads like this…


<!-- LOGIN FORM -->
<form action="HTTPS://www.MySite.com/index.php" method="post" accept-charset="utf-8">
</form>

Is this correct? Is this secure?

2.) Even if it is secure, such a set up probably freaks out most users - myself included!

(After all… Who wants to enter their Username and Password into a form that reads HTTP?! Not me…) :shifty:

So is there some way to “have my cake and eat it too”?

That is, is there some way to have things set up so when you land on my home page it is just a regular HTTP page, but when you want to Log-In, that I can some how change the page to HTTPS before people enter their log-in credentials so that they know I am handling their info securely?! :-/

Hope that makes some sense?!

Sincerely,

Debbie

Hi, Debbie. If your website works without a problem on HTTPS, just make a simple redirect in your top-level PHP include file:

if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
	header("HTTP/1.1 301 Moved Permanently");
	header("Location: https://" . $_SERVER['HTTP_HOST '] . $_SERVER['REQUEST_URI']);
	exit();
}

If you have mod_rewrite enabled in Apache you can also use the following code in a file name .htaccess that you must put it in the root directory of your website:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

You mean you want to have a login form on your http home page for convenience? I don’t think there’s any workaround other than replace the form with a login link pointing to the https login page. Yes, posting from http to https should be secure but it does not look secure for people who don’t see the desired ‘padlock’ in their browser. Most sites I know use a separate https page for loggin in because that makes the security obvious.

You could use some javascript tricks, for example redirect the page to the https version when a user focuses on the login form but that’s a sort of hack and wouldn’t necessarily build your users trust.

As a last resort you could do both: provide both the login form and a https ‘secure login page’ link, which could be used by those who were uncertain of the security.

Not sure if I follow you, but I do NOT want the entire website running as HTTPS.

Debbie

Right.

But, you know, after looking at a few big websites (e.g. Amazon, NewEgg), I notice they just have a Sign In link and not a sub-form like I was talking about where you enter Username and Password.

So maybe I don’t need (or want) that after all?! :-/

What does everyone else think?

I don’t think there’s any workaround other than replace the form with a login link pointing to the https login page. Yes, posting from http to https should be secure but it does not look secure for people who don’t see the desired ‘padlock’ in their browser. Most sites I know use a separate https page for loggin in because that makes the security obvious.

You could use some javascript tricks, for example redirect the page to the https version when a user focuses on the login form but that’s a sort of hack and wouldn’t necessarily build your users trust.

Yeah, that isn’t a good solution.

As a last resort you could do both: provide both the login form and a https ‘secure login page’ link, which could be used by those who were uncertain of the security.

Interesting idea.

Debbie