There is/should be an option in your hosting setup for SSL, something to the effect of "house all SSL content in a single directory" - a checkbox. Don't do this - if you do, it will mean you'll now have two copies of common features, like graphics. Apply the cert to the entire domain.

Now, like you say, it's true - you **can** automagically switch between SSL and non SSL, but be **very certain** when setting up the cert which you want - www or non www. The cert is bound to an **exact** domain name. Generally, to have a cert for both www and non www, this requires two certs (although, in some conditions, I've seen it work, it's not generally the case.)

What's the impact? If your cert is bound to non-www, when users browse to [example.com...] they get the security warning.

There are ways to avoid that eventuality, just be aware of which you want for SSL and set up your rewrites to insure any requests for the wrong one go to the right one.

The second thing is to use SSL only where it's needed. It is generally slower, so don't use it over the entire site, just where needed. Where you do that you will have to use **full** URL's to the secure areas:

<a href="http ://www.example.com">Home</a>
<a href="https://www.example.com/login">Secure Login</a>

... and you will also need to use full URL's to get back to the non secure areas, just like above.

This one, I think, is the one that will save you the absolute most time in eliminating security warnings and figuring out the overall puzzle - it's also slightly contradictory to the previous. :-) Get in the habit of referencing all images and files with a leading slash:

src="/images/image.jpg"
href="/policies.html"

The leading slash means "start at domain root" - and that domain root may be https sometimes, non https others. You won't have to change it for the two.

Like I said, you will have make exceptions to this to get to and from HTTPS with full URL's. The way I normally do this is I have a "secure template" with full URL's to and from https, and a "non secure template." For the two, it would look something like this:

Secure:

<a href="http ://www.example.com">Home</a>
<a href="http ://www.example.com/about.html">About</a>
<a href="/login">Secure Login</a>

Non-secure:

<a href="/">Home</a>
<a href=/about.html">About</a>
<a href="https://www.example.com/login">Secure Login</a>

For all "non-secure" pages, that's really all you need for your navigation.

For coding, anything that **needs** to be over https, you'd put (something like) this at the top of the scripts:

if (! isset($_SERVER['HTTPS']) or (isset($_SERVER['HTTPS']) and ($_SERVER['HTTPS'] != 'on'))) {
header("Location:https://example.com/$this_script");
}

your redirects need to work for both cases:
- non-secure pages requested with secure protocol and/or secure hostname.
- secure pages requested with non-secure protocol and/or non-secure hostname.

also the redirect response must include a 301 HTTP status code in this case.

if you aren't using PHP to generate your content (and maybe even if you are) you should consider using the mod_rewrite apache module and its RewriteRule directive.

You can convert HTTP into HTTPS, but the problem is search engines cannot crawl a secured page or site which keeps your website away from search advantage.

the problem is search engines cannot crawl a secured page or site which keeps your website away from search advantage.

All SE's can crawl SSL secured pages unless they are also password protected.

By default, HTTPS/SSL is wide open for crawling, but SSL is slow, brings machine resources down, so I always redirect crawlers from HTTPS to HTTP

Thanks for the information. I think I have it all worked out now.

:)