[Pmwiki-users] Easily Hackable?

Patrick R. Michaud pmichaud
Mon Apr 12 10:45:26 CDT 2004

On Mon, Apr 12, 2004 at 12:20:06AM -0700, H. Fox wrote:
> H. Fox wrote:
> >Not necessarily.  If PmWiki doesn't have a "force into SSL mode" feature 
> >now, I'm sure it could be added in the future.  ;)
> I'm having success forcing PmWiki into SSL mode using the following:
> ##  Force into SSL mode.
> $ScriptUrl = ereg_replace('http:','https:', $ScriptUrl);
> $PubDirUrl = ereg_replace('http:','https:', $PubDirUrl);
> if ($_SERVER['SERVER_PORT'] != 443) header('location:'.$ScriptUrl);

Slightly better might be:

    # Force to SSL mode
    $ScriptUrl = str_replace('http:','https:',$ScriptUrl,1);
    $PubDirUrl = str_replace('http:','https:',$PubDirUrl,1);
    if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl"); exit(); }

Note that this is highly server dependent--for example, on my webhosting
provider, the SSL version of http://www.pmichaud.com/wiki/PmWiki/PmWiki
is https://secure27.vosn.net/~pmichaud/wiki/PmWiki/PmWiki  -- i.e., just
changing 'http:' to 'https:' in URLs on my web hosting service isn't
sufficient.  For this reason I usually just set $ScriptUrl and
$PubDirUrl explicitly rather than using str_replace or ereg_replace:

   $ScriptUrl = 'https://secure27.vosn.net/~pmichaud/wiki';

Note also that serving content through SSL can significantly increase
server loads.  It's often a good idea to use SSL judiciously--to only
use SSL on those pages that really need to be protected in transit.
This is also why commercial sites such as Amazon don't use SSL for
the entire session, but only for those portions where sensitive
personal information such as credit card numbers or addresses are
being transmitted over the wires.


More information about the pmwiki-users mailing list