Redirect to ssl in codeigniter

Hope CI 4 will support better with redirecting to ssl url

Here is a CodeIgniter library that has force_ssl() and remove_ssl() and is_https()

https://github.com/ProjectOrangeBox/ssl/...es/Ssl.php

Maybe that will help?

https://github.com/ProjectOrangeBox / https://github.com/dmyers2004

Hope CI 4 will support better with redirecting to ssl url

Yes, it does have that capability built in.

Here is a CodeIgniter library that has force_ssl() and remove_ssl() and is_https()

https://github.com/ProjectOrangeBox/ssl/...es/Ssl.php

Maybe that will help?

That library looks pretty good, though I'm not convinced the is_https is thorough enough. From past projects I've been involved with that solution isn't thorough enough. The rest looks pretty decent, though. I'd replace the is_https method with something more like this one.

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials

I'll make the change to update it to yours with credit.

DMyers

https://github.com/ProjectOrangeBox / https://github.com/dmyers2004

I'll make the change to update it to yours with credit.

DMyers

I can't take all of the credit for that. Back when I worked with Electric Function on their OpenGateway and Hero Framework projects, we encountered numerous times where we had to debug the SSL for various situations, tweak the order the checks appeared in, etc. That method was what we ended up with. Hopefully, it will still prove to be as robust as it was a few years ago, since I haven't looked it over too closely lately.

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials

... I'd replace the is_https method with something more like this one.

Here too a user could trick your code into "thinking" that it is in a different state that it actually is in.

In general, don't ever rely on any $_SERVER variable prefixed with 'HTTP_'.

Here too a user could trick your code into "thinking" that it is in a different state that it actually is in.

In general, don't ever rely on any $_SERVER variable prefixed with 'HTTP_'.

Fair enough. How would you do this test, then?

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials

Just the $_SERVER['HTTPS'] value.

If an application is behind a reverse proxy or for some other reason it is known that e.g. HTTP_X_FORWARDED_PROTO is safe to use, a developer could always do something like this in index.php:

Code:

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
{
    $_SERVER['HTTPS'] = 'on';
}

Taking a closer look at the CI4 code, we should definitely remove the port from the check. I must not have been paying attention when I ported that function over.

Looking at CI3 version it makes me wonder if it's possible to have a secure connection behind a proxy, but the proxy have bad certificate? I'm just trying to figure out why we ended up with things in the order we did for the CI4 version, but it's been way about 4 years, and my working with proxies is pretty limited.

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials

Well, not that I have much experience working behind reverse proxies, but typically the proxy's own connection to you would be over a bare http connection as it is usually either on the same machine or on your trusted local network.
With these headers, it is telling you that the client-to-proxy connection was over https and nothing else.