CodeIgniter Forums

Full Version: Best method for constructing HTTPS urls and requiring HTTPS requests?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Some pages on my CI3 site (login, register, user cp, etc.) obviously need to be accessed via HTTPS. I did some searching and, if I'm not mistaken, a decision was made not to support https in base_url.

Can anyone tell me best practices for:
1) constructing site urls for links, form posting, redirects, etc. that require HTTPS
2) Configuring controllers and/or controller methods such that all requests must be via HTTPS?

Any help would be much appreciated.
It looks like the issue there is simply that if you hard-code your base_url in your config file, you won't be able to generate links to your own site with a different protocol. The best practice would be that, if you need HTTPS and you need to hard-code the base_url, use https in your base_url. Beyond that, you should configure your server to use HTTPS as needed, rather than trying to do something in CodeIgniter to handle HTTPS.

I haven't run into any issues which have not been fixed with using HTTPS when the base_url configuration is empty, though I have some minor issues with edge-cases switching between HTTP and HTTPS which are unrelated to CodeIgniter itself (and recently I've been considering just forcing HTTPS for the whole site).
Assuming one leaves base_url blank in the config file, what is best practice for constructing an HTTPS url from an HTTP one and vice-versa? I'm guessing it has something to do with sire_url.

Also, correct me if I'm wrong, but it's my understanding that if base_url is left blank that there is no specification of the domain in the configuration.

mwhitney Wrote:Beyond that, you should configure your server to use HTTPS as needed, rather than trying to do something in CodeIgniter to handle HTTPS.
This suggestion seems a bit odd as CodeIgniter is the single app most likely to know which pages should be securely hosted and which should not. Seems odd to try and mess around with mod_rewrite or apache config or something...

mwhitney Wrote:I haven't run into any issues which have not been fixed with using HTTPS when the base_url configuration is empty, though I have some minor issues with edge-cases switching between HTTP and HTTPS which are unrelated to CodeIgniter itself (and recently I've been considering just forcing HTTPS for the whole site).
Could you elaborate? Just curious about what kind of tradeoffs I'm getting into.
(01-15-2015, 02:13 PM)sneakyimp Wrote: [ -> ]Assuming one leaves base_url blank in the config file, what is best practice for constructing an HTTPS url from an HTTP one and vice-versa? I'm guessing it has something to do with sire_url.

Also, correct me if I'm wrong, but it's my understanding that if base_url is left blank that there is no specification of the domain in the configuration.

I use site_url() for the majority of the links within my site, including generating the URLs for assets (CSS/JS/images/etc.), and the URLs in all links using site_url() will match the current protocol if base_url is blank. This does cause problems if you are linking to pages which require HTTPS from an HTTP page (generally, unless your site can't support HTTPS on all pages, it won't cause many issues on HTTPS pages). However, if your server is configured to force HTTPS for those pages, the issues turn out to be the edge cases I mentioned, which I'll elaborate below; otherwise, I have no problems with this setup.

I believe you're correct in stating that no domain would be included in the configuration, and I haven't really experimented a great deal with other settings for base_url to really know what would and would not work as valid settings. Ideally, if you need to set the value for some reason, you should be able to use a protocol-relative value, but I don't know how well that's supported.

(01-15-2015, 02:13 PM)sneakyimp Wrote: [ -> ]
mwhitney Wrote:Beyond that, you should configure your server to use HTTPS as needed, rather than trying to do something in CodeIgniter to handle HTTPS.
This suggestion seems a bit odd as CodeIgniter is the single app most likely to know which pages should be securely hosted and which should not. Seems odd to try and mess around with mod_rewrite or apache config or something...
Generally, if the user has requested a page via HTTP which should only be served over HTTPS, CI's only real recourse is to redirect the user, which is fine in some situations, but is a waste of resources if you could have configured your server to handle it. Of course, if you do need CI to handle it, it might be best to setup something in your routing to handle it as early as possible (I have no specific solutions here, just putting down some thoughts).

In my case, the rules for requiring HTTPS are fairly simple, as it can be determined by the first segment of the URL matching one of about a half dozen values. This covers login, registration, profile management, site administration, and some front-facing pages with special requirements (and these becoming more common is another part of what drives me towards potentially making the whole site HTTPS-only).

(01-15-2015, 02:13 PM)sneakyimp Wrote: [ -> ]
mwhitney Wrote:I haven't run into any issues which have not been fixed with using HTTPS when the base_url configuration is empty, though I have some minor issues with edge-cases switching between HTTP and HTTPS which are unrelated to CodeIgniter itself (and recently I've been considering just forcing HTTPS for the whole site).
Could you elaborate? Just curious about what kind of tradeoffs I'm getting into.

Essentially, once a user is logged in and browsing your site using HTTPS, you usually want them to keep using HTTPS until they log out, even if the page they're viewing doesn't require HTTPS. However, if you do something like save a URL in the session with an HTTP protocol (especially a URL which the server is not configured to force to HTTPS) and send the user to that saved URL at some point in the future, they won't be viewing the site using HTTPS any more. This seems simple enough, but it's not always easy to track down or to fix.

Additionally, if you use CI 2.2 instead of 3, you may want to port over the is_https() function from CI3's system/core/Common.php. The Config class and Security class in CI3 both use this function in place of checks against $_SERVER['HTTPS']. The Config class' constructor's checks are specifically related to this issue and gave me some real headaches (which is why I said "I haven't run into any issues which have not been fixed..."), but the basic issues have been fixed in 2.2 (though perhaps not to the extent they have in 3).