If I could elaborate on colin's explanation.... Mainly so that there is a fairly recent one of these in the archives (not that anybody searches them :-)
Like miguel said encryption in an HTTP request/response pair is determined by your browser. if the browser is making a request, and it sees an https:// at the beginning of the request URL, it will : 1. get the domain's public key from a public key server 2. encrypt the whole request with the domain's public key 3. submit it to the web server. If the web server sees that this is an encrypted request, it will : 1. decrypt the request with it's private key 2. process it and generate a response (usually in the form of html) 3. encrypt the response with it's private key 4. send it back to the browser When the browser gets the response, it: 1. decrypts it with the public key 2. displays the html to the client user 3. ***shows a lock icon at the bottom of the browser Now, one of the things that many people are confused about is that they think there must be a lock icon at the bottom of the browser when they are entering sensitive info (like credit card numbers). Nope. The only important thing is that the form which takes the sensitive data SUBMITS to an https:// URL. Because (as above) it will encrypt the request (which includes the sensitive data) BEFORE it submits it over the internet. But most people don't know how to check that a form submits to an to an https:// URL. So, the standard practice is to have the page containing the form which takes the sensitive data ALSO be an https:// URL, so that the lock icon is already there when the client user is entering that oh-so-prized sensitive data, even though there's nothing really to protect in that HTTP request/response pair. PHP is, in a way, completely separate from the HTTP/HTTPS layer. When PHP is started up by the web server, regardless of the encryption (or lack thereof) of the original request, PHP gets the non-encrypted (or already decrypted) request. When it sends its response output to the webserver to be sent to the client, it sends that output unencrypted. It's completely up to the web server to either encrypt the response, then send it out, or to just send it with no modification. I hope that helps your understanding of what's going on with all this HTTP/HTTPS stuff. I also hope that i've been clear about it. It's kind of easy to get lost in terms. Jerome _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php