| Handling HTTPS when base_url is left blank in config/config |
[eluser]skunkbad[/eluser]
I had been working on Community Auth this evening, when I realized that if the base_url is left blank in config/config, when a site visitor goes to a secure page, the base_url actually changes schemes from http to https. Up until this point, I had been extending the html and url helpers to allow for special secure_* functions: 1) secure_site_url() 2) secure_base_url() 3) secure_anchor() An example of the problem would be as follows: When base_url is left blank in config/config and site_url() is used, the URL returned by the site_url() function always has an https scheme. The problem is also that since the scheme is already https, my custom secure_* functions were adding an additional 's', and effectively making the URL malformed like this: httpss:// What I did was use php's parse_url() function to analyze the base_url or site_url before returning it. For instance, with the standard site_url() function: Code: function site_url( $uri = '' )And the revised secure_site_url() function: Code: function secure_site_url( $uri = '' )These modifications ensure that the link created is pointing where it should, and that it is not malformed. Is this what everyone else is doing? Should this be standard in CI? Please keep in mind, I'm not looking for a solution that forces HTTPS through a redirect. Forcing HTTPS through a redirect is a bad security policy according to the latest PCI compliance scan that I had the pleasure of dealing with. I'm also not interested in a solution that doesn't allow the site visitor to escape the HTTPS environment, or one that makes the whole site HTTPS. Maybe I'm actually not looking for a solution at all, but just confirmation that this is the best way to allow for secure and non-secure parts of a website, or an explanation as to why another way is better. |
| Welcome Guest, Not a member yet? Register Sign In |
