Welcome Guest, Not a member yet? Register   Sign In
Force HTTPS for certain controllers
#1

[eluser]Michael Roper[/eluser]
I am trying to be able to force certain functions in my controller to only be accessed over SSL... so if they are accessed by a HTTP url, they will be redirected to the HTTPS url (with any POST data still intact)... but I only want those to be redirected, and everything else can stay on non-SSL.

here is my current .htaccess rules...
Code:
RewriteEngine On
RewriteBase /

## these were my original rules
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^(.*)$ index.php/$1 [L]

#### SECURE CERTAIN PAGES

## if they are already on the http site
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} secure/(register|activation|login|profile)
RewriteRule ^(.*)$ https://%{HTTP_HOST}/index.php/$1 [L]

## if they are already on the https site
RewriteCond %{SERVER_PORT} !80
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} secure/(register|activation|login|profile)
RewriteRule ^(.*)$ https://%{HTTP_HOST}/index.php/$1 [L]


#### UNSECURE THE REST

## if they are already on the http site
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !secure/(register|activation|login|profile)
RewriteRule ^(.*)$ http://%{HTTP_HOST}/index.php/$1 [L]

## if they are on the https site
RewriteCond %{SERVER_PORT} !80
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !secure/(register|activation|login|profile)
RewriteRule ^(.*)$ http://%{HTTP_HOST}/index.php/$1 [L]

it looks convoluted, but it seems to work... with the exception of the fact that the 'index.php' shows up in the url when switching between the ssl and non-ssl site.. which i dont really like..

can anyone suggest a better way to do this, or at least a way to tidy up the rules above? i'm not familiar enough with the rewrite rules to figure it out without breaking other things... also, is this something i could be doing with routes?
#2

[eluser]esra[/eluser]
Not an area of interest for me, but you might consider posting a message in one of the e-commerce threads with a link back to this thread.
#3

[eluser]glemigh[/eluser]
I'm lazy, so I did this for a friends site that had pages that would not behave, although it was not a codeigniter site, but you'll get the idea.
Code:
<?php
if ( !isset($_SERVER["HTTPS"]) ) {
    echo '<meta http-equiv="refresh" content="0;url=https://' . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] . '">';
    echo "\n";
}
?>

George
#4

[eluser]stevepaperjam[/eluser]
I did something similar to George on my design. I didn't need to retain the POST var, although I reckon you could probably pass it through...
#5

[eluser]Michael Roper[/eluser]
yeah, i guess that will work, but its not as secure, as the redirecting is being done AFTER the request for the non-secure page has already been made... with the .htaccess method, it is being done by Apache before it hits the code (or the client)..
#6

[eluser]stevepaperjam[/eluser]
I'm not entirely sure what you are trying to do - but I think that if you're going to send anything through POST you'll want to specify https in the form action rather than forcing it afterwards, otherwise it won't be sent encrypted from their pc to your server first time round.

Not that I am Mr Expert on SSL, it's all a bit of a nightmare.
#7

[eluser]glemigh[/eluser]
I'm not so sure security is a big issue since it can be early in the header, and if not SSL, deny any of the good stuff.

If need be, you can preform other checks to insure SSL before any good stuff is output.

Personally I trust my PHP over the strange ways the Apache Rewrite stuff sometimes whips up a surprise exception to the rules.

George




Theme © iAndrew 2016 - Forum software by © MyBB