+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Feature Requests (https://forum.codeigniter.com/forumdisplay.php?fid=29)
+--- Thread: Redirect to ssl in codeigniter (/showthread.php?tid=64627)
Redirect to ssl in codeigniter - Toh Le - 03-13-2016
Hope CI 4 will support better with redirecting to ssl url
RE: Redirect to ssl in codeigniter - dmyers - 03-14-2016
Here is a CodeIgniter library that has force_ssl() and remove_ssl() and is_https()
https://github.com/ProjectOrangeBox/ssl/blob/master/libraries/Ssl.php
Maybe that will help?
RE: Redirect to ssl in codeigniter - kilishan - 03-14-2016
(03-13-2016, 10:14 PM)Toh Le Wrote: Hope CI 4 will support better with redirecting to ssl url
Yes, it does have that capability built in.
(03-14-2016, 04:02 PM)dmyers Wrote: Here is a CodeIgniter library that has force_ssl() and remove_ssl() and is_https()
https://github.com/ProjectOrangeBox/ssl/blob/master/libraries/Ssl.php
Maybe that will help?
That library looks pretty good, though I'm not convinced the is_https is thorough enough. From past projects I've been involved with that solution isn't thorough enough. The rest looks pretty decent, though. I'd replace the is_https method with something more like this one.
RE: Redirect to ssl in codeigniter - dmyers - 03-15-2016
I'll make the change to update it to yours with credit.
DMyers
RE: Redirect to ssl in codeigniter - kilishan - 03-15-2016
(03-15-2016, 09:55 AM)dmyers Wrote: I'll make the change to update it to yours with credit.
DMyers
I can't take all of the credit for that. Back when I worked with Electric Function on their OpenGateway and Hero Framework projects, we encountered numerous times where we had to debug the SSL for various situations, tweak the order the checks appeared in, etc. That method was what we ended up with. Hopefully, it will still prove to be as robust as it was a few years ago, since I haven't looked it over too closely lately.
RE: Redirect to ssl in codeigniter - Narf - 03-15-2016
(03-14-2016, 07:22 PM)kilishan Wrote: ... I'd replace the is_https method with something more like this one.
Here too a user could trick your code into "thinking" that it is in a different state that it actually is in.
In general, don't ever rely on any $_SERVER variable prefixed with 'HTTP_'.
RE: Redirect to ssl in codeigniter - kilishan - 03-15-2016
(03-15-2016, 10:23 AM)Narf Wrote: Here too a user could trick your code into "thinking" that it is in a different state that it actually is in.
In general, don't ever rely on any $_SERVER variable prefixed with 'HTTP_'.
Fair enough. How would you do this test, then?
RE: Redirect to ssl in codeigniter - Narf - 03-15-2016
Just the $_SERVER['HTTPS'] value.
If an application is behind a reverse proxy or for some other reason it is known that e.g. HTTP_X_FORWARDED_PROTO is safe to use, a developer could always do something like this in index.php:
Code:
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
{
$_SERVER['HTTPS'] = 'on';
}RE: Redirect to ssl in codeigniter - kilishan - 03-15-2016
Taking a closer look at the CI4 code, we should definitely remove the port from the check. I must not have been paying attention when I ported that function over.
Looking at CI3 version it makes me wonder if it's possible to have a secure connection behind a proxy, but the proxy have bad certificate? I'm just trying to figure out why we ended up with things in the order we did for the CI4 version, but it's been way about 4 years, and my working with proxies is pretty limited.
RE: Redirect to ssl in codeigniter - Narf - 03-15-2016
Well, not that I have much experience working behind reverse proxies, but typically the proxy's own connection to you would be over a bare http connection as it is usually either on the same machine or on your trusted local network.
With these headers, it is telling you that the client-to-proxy connection was over https and nothing else.