CodeIgniter Forums

Full Version: Possible bug in form_open and https
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]Nairobi[/eluser]
Hi all,

Posting here after searching around for a solution - none found, so figured it's easier to put the question to the masses. Using CodeIgniter 2.0 (tip, not reactor 2.0.0)

I have two subdomains (www. and test.), and both are in discreet and separated html folders on the server, and are virtually the same codebase - test is used to fix and test things before migrating the fixes to www. Also, www. is the SSL host in Apache.

I'm having a problem shifting between Http: and Https: on some URLs, and I'm not sure where things are messing up.

The problem is that I'm testing various methods to shift some controllers to https (login, member account info, etc) and some to http. There seems to be a conflict in the system where I'm observing and replicating the following behavior.

- www. subdomain config uses http://www.domain.com as the base url
- test. subdomain config uses test.domain.com as the base url

If I keep everything http:// then there are no problems, but when I use https, there are problems as follows:
- form_open(), regardless of which domain, echoes http://www.domain.com/ (ie, https in test.domain.com has forms that point to http://www.domain.com). This presents 2 issues
-- is there no way to toggle forms to use https:// (???)
-- test.domain.com should not be replaced by http://www.domain.com, but that is happening
- redirection attempts using .htaccess or force_ssl helpers let me go from http->https, but I can't seem to get the redirection going the other way (minor, actually, as I can keep the whole site https)

I have tried a variety of approaches, including setting https://test.domain.com as the base_url in config.php, however, there is no change in behavior or form_open output.

The combination prevents me from logging in (https->http, CSRF mismatch, etc) and from using the form_open()... Although I could probably manually set each form handler on the site (violates DRY and messes up future change simplicty for migration), is this a normal CI 2.0 experience, or is this fixed in a newer version?

Am I missing something here???

El Forum

[eluser]InsiteFX[/eluser]
Read this Article!

InsiteFX

El Forum

[eluser]Nairobi[/eluser]
Hi InsiteFX,

Actually, I did. I tried the .htaccess rewrites, and it works for some reason going to https but not the other way around. I tried alternative syntax on the .htaccess portions, again, with no success. The force_ssl helper function didn't work it either. Will give it another go, just because I want to get this resolved. Are those solutions for 1.7.x and does that work seamlessly for 2.0+

The block to logging in, I think, is that form_open pushes out http://www.domain.com/auth/login and not https://www.domain.com. This isn't addressed at all by the link, however.

That said, it also doesn't address why, when I am in test.domain.com, is it pointing to the http://www.domain.com config file, and not the values in the test.domain.com config file, which is a completely separate application in a discreet webspace? I'm guessing that may be in part PHP & SSL with global values, but the link you posted doesn't address that issue either.

Will give it a try just now...

El Forum

[eluser]InsiteFX[/eluser]
Did you try this?
Code:
$this->config->set_item('base_url', 'https//your_path');

You would need to toggle it back.

InsiteFX

El Forum

[eluser]Nairobi[/eluser]
Thanks InsiteFX,

I did indeed try that, and have reverted it. My config has both of these set.
Code:
$config['base_url'] = 'http://test.domain.com/';
$config['secure_base_url'] = 'https://test.domain.com/';

Even if I try using something like the line below, the form is echoed using http://www.domain.com
Code:
echo form_open($this->config->item('secure_base_url') . 'auth/login', $data);

I'm half torn - part of my intuition says it's an Apache issue (and there may be a contribution there), but part of me says that CI should be able to stay with the config parameters and not be over-ridden by any system variables when a well-formed config file exists.

I've grepped the test.domain.com folder for instances of 'www.domain.com' and it's only in php doc notations or other places where it's hard coded (not the links I'm testing on), so for some reason, it appears that the test subdomain CI instance is getting "polluted" when using https.

Any ideas on places to look???

El Forum

[eluser]InsiteFX[/eluser]
If you look in system/core/config.php library, all of this is being set in the constructor.

InsiteFX