Login

eloyucu · 02-18-2016, 02:10 AM

I had been reading this:

PHP Code:
/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
|    http://example.com/
|
| WARNING: You MUST set this value!
|
| If it is not set, then CodeIgniter will try guess the protocol and path
| your installation, but due to security concerns the hostname will be set
| to $_SERVER['SERVER_ADDR'] if available, or localhost otherwise.
| The auto-detection mechanism exists only for convenience during
| development and MUST NOT be used in production!
|
| If you need to allow multiple domains, remember that this file is still
| a PHP script and you can easily do that on your own.
|
*/
$config['base_url'] = ''; 

And I want to have no problem with security , so on my production application I want to setup correctly the base_url config. With other projects I had done there was no problem because I only need to use one domain... But now the things changes. I am doing something like a multidomain system... and a thing I am thinking is:

PHP Code:
$config['base_url']    = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,strpos( $_SERVER["SERVER_PROTOCOL"],'/'))).'://'.$_SERVER['HTTP_HOST']; 

Could be that correct??
Thank you.

***Narf*** · 02-18-2016, 02:42 AM

No, DO NOT use unvalidated $_SERVER['HTTP_HOST']!

Krycek · 02-18-2016, 07:03 AM

I use the following snippet code

PHP Code:
$allowed_domains = array('site1.com', 'site2.com');
$default_domain  = 'site1.com';

if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE))
{
    $domain = $_SERVER['HTTP_HOST'];
}
else
{
    $domain = $default_domain;
}

if ( ! empty($_SERVER['HTTPS']))
{
    $config['base_url'] = 'https://'.$domain;
}
else
{
    $config['base_url'] = 'http://'.$domain;
} 

rsilva6 · 02-18-2016, 11:36 AM

Any of URL examples doesn't work on CI with you want run controller method by CLI.

freddy · 02-18-2016, 06:26 PM

(02-18-2016, 02:42 AM)Narf Wrote: No, DO NOT use unvalidated $_SERVER['HTTP_HOST']!

then why , any link to describe it, thanks

Diederik · 02-19-2016, 01:30 AM

The $_SERVER['HTTP_HOST'] value is created based on the request headers from the browser, it's easy to manipulate them. The value of $config['base_url'] is used for example in the url helper, form_open function etc. You should not have a situation where some header of the client can change all the url's on you page, or even change the action url of a login form to some external location...

There for you should never ever trust user input blindly and not only validate if it's a valid domainname but in this case you should check if $_SERVER['HTTP_HOST'] is indeed set to a domain you own. I use some similar whitelist approach as Krycek.

http://www.skeletonscribe.net/2013/05/pr...tacks.html

cartalot · 02-19-2016, 12:48 PM

not sure if this will help -- but instead of setting the base url in the application/config file - you can set it on the main index.php page. scroll down and you will see 'custom config values'. you can then set it like:

PHP Code:
$assign_to_config['base_url'] = 'https://yourwebsite.com/'; 