Is my form secure?

Question

I have a 4 step form process.

1. form.php
2. validation.php
3. review.php
4. complete.php

Form.php posts to validate.php which depending on the validation redirects either back to form.php or to review.php. The final step is complete.php

Each page is called with HTTPS except validate.php which is where the SESSION variables are created and then redirects back to form.php or review.php calling https.

The lock on the browser never disappears but I was told if you post to a relative path (not calling https explicitly) the form is not secure.

Is this true? Am I secure? Is there a way to check and or prove that the form process is secured or not?

Someone is telling me it is secure but I just want to be sure so I am not liable.

I am using a relative path on the form post because the SESSION variables aren't created when the page is called explicitly with HTTPS. If anyone has a potential solution for that that would be great as well.

Answer 1

It is OK to use relative paths. To be sure you can use network packet viewer application to see if the contents are encrypted. However one thing concerns me about your code, do you store validated data in session variables? If so, are you sure no one can access session values other than root user and php. I would recommend storing validated values within database just in case, you can always remove outdated records using a crontab.

Answer 2

If you have data posting to or are sending back information to the browser that is being used to complete the transaction from validate.php and are not using HTTPS for the data, then you have a potential hole in your application. If validate.php is called with a relative path, from a page loaded via HTTPS, then it will be using HTTPS by default -- relative paths inherit the protocol, hostname, and port if they aren't explicitly specified.

None of this means that your page, however, is secure. It means that the data that is being sent is being encrypted. You could still have several issues (weak passwords, SQL injection, cross-site scripting, etc.) that you need to deal with even when using HTTPS to transfer data. If you are using HTTPS, at least, your data transfers will be much more difficult to intercept or spoof.

Answer 3

The lock on the browser never disappears but I was told if you post to a relative path (not calling https explicitly) the form is not secure.

That is rubbish. A relative URI is a relative URI and doesn't cause a change in protocol.

If the page was requested via HTTPS and the URI is relative, then the next request will also use HTTPS.

I am using a relative path on the form post because the SESSION variables arent created when the page is called explicitly with HTTPS

You must be misdiagnosing the problem. Browsers resolve relative URIs into absolute URIs internally. There is no difference in the data sent.

Answer 4

Even though are not explicitly posting to, for example, https://your-server.com/validate.php, the fact you are using a relative link (e.g. action="validate.php") means it is still using HTTPS every step of the way.

Short answer - the protocol doesn't change on relative links. So if form.php is not HTTPS, the form variables will not be submitted securely with a relative link.