CodeIgniter Forums
forceHTTPS and session() - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forum-28.html)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forum-31.html)
+--- Thread: forceHTTPS and session() (/thread-75876.html)



forceHTTPS and session() - anthos1984 - 03-26-2020

I'm not sure where to talk about this.



but '$this->forceHTTPS' must be called before '$session = session();' or else your session variable might be loss. This warning should be made into user guide.



I'm spent lot of times finding why my flash message is missing.



I have login page and user administration. It calls secure page, while other page is not encrypted to lighten processor load.



So in config\App, the base url is using 'http', not 'https'. Also 'forceGlobalSecureRequest' is not enabled. That makes website using not secure page (http). When I want to send important data, I call 'forceHTTPS' and in form action, I use 'site_url('target_path','https').

On my login and user administration pages, which is using same controller, the user messages is passing through as flash message and passed succesfully.


However, the other secure pages, also calls forceHTTPS, the user flash messages is gone.



It turns out that the login class is extended from system Controller and called $this->forceHTTPS before calling $session = session(). The flash message is passed as intended.



On the other pages, it using controller class which extended from BaseController and called '$this->session = \Config\Services::session();' onĀ  parent 'initController' function. However, some controller function calling $this->forceHTTPS and the flash messages is gone. This means the 'forceHTTPS' is called after $this->session = \Config\Services::session() because the session is called from parent controller function.



After I change the order, forceHTTPS beforeĀ $this->session = \Config\Services::session();, the flash message passed successfully.


RE: forceHTTPS and session() - anthos1984 - 03-28-2020

I'm sorry guys, looks like I'm wrong about this.

The other time I starting session early doesn't remove session variable.
Also when see forceHTTPS source, it also consider when session is started. So, it should okay.

But it still mystery for me why particular controller function is redirected 3 or 2 times and session variable gets reset in the end.


RE: forceHTTPS and session() - InsiteFX - 03-29-2020

Simple answer use an SSL Certificate and everything will be HTTPS//


RE: forceHTTPS and session() - anthos1984 - 03-29-2020

I have it. I just want to use some pages to be https.

But 2 or 3 redirection and missing session var is still mystery for me


RE: forceHTTPS and session() - jreklund - 03-29-2020

(03-26-2020, 12:13 AM)anthos1984 Wrote: I have login page and user administration. It calls secure page, while other page is not encrypted to lighten processor load.

I don't have any answer to your specific problem, but there are no performance impact with HTTPS vs HTTP that can't be solved with some itsy bitsy upgrade (or non at all). We are talking about max 5% CPU increase. If you configure your server correctly.

So go full HTTPS and come back if it still loose the session. Don't know what kind of site you have your users submit any kind of data with HTTP those will be unsecured.

EDIT: With encrypted connection you can also enable HTTP 2, making your website appear faster to your users. As it allow parallel downloads.