If I could elaborate on colin's explanation....
Mainly so that there is a fairly recent one of these in the archives
(not that anybody searches them :-)

Like miguel said encryption in an HTTP request/response pair is determined 
by your browser.

if the browser is making a request, and it sees an https:// at the beginning 
of the request URL, it will :
1.  get the domain's public key from a public key server
2.  encrypt the whole request with the domain's public key
3.  submit it to the web server.

If the web server sees that this is an encrypted request, it will :
1.  decrypt the request with it's private key
2.  process it and generate a response (usually in the form of html)
3.  encrypt the response with it's private key
4.  send it back to the browser

When the browser gets the response, it:
1.  decrypts it with the public key
2.  displays the html to the client user
3.  ***shows a lock icon at the bottom of the browser

Now, one of the things that many people are confused about is that they 
think there must be a lock icon at the bottom of the browser when they are 
entering sensitive info (like credit card numbers).  Nope.  The only 
important thing is that the form which takes the sensitive data SUBMITS to 
an https:// URL.  Because (as above) it will encrypt the request (which 
includes the sensitive data) BEFORE it submits it over the internet.  But 
most people don't know how to check that a form submits to an to an https:// 
URL.  So, the standard practice is to have the page containing the form 
which takes the sensitive data ALSO be an https:// URL, so that the lock 
icon is already there when the client user is entering that oh-so-prized 
sensitive data, even though there's nothing really to protect in that HTTP 
request/response pair.

PHP is, in a way, completely separate from the HTTP/HTTPS layer.  When PHP 
is started up by the web server, regardless of the encryption (or lack 
thereof) of the original request, PHP gets the non-encrypted (or already 
decrypted) request.  When it sends its response output to the webserver to 
be sent to the client, it sends that output unencrypted.  It's completely up 
to the web server to either encrypt the response, then send it out, or to 
just send it with no modification.

I hope that helps your understanding of what's going on with all this 
HTTP/HTTPS stuff.  I also hope that i've been clear about it.  It's kind of 
easy to get lost in terms.


MSN Photos is the easiest way to share and print your photos: 

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to