Welcome Guest, Not a member yet? Register   Sign In
forceHTTPS and session()
#1

(This post was last modified: 03-26-2020, 10:47 AM by jreklund.)

I'm not sure where to talk about this.



but '$this->forceHTTPS' must be called before '$session = session();' or else your session variable might be loss. This warning should be made into user guide.



I'm spent lot of times finding why my flash message is missing.



I have login page and user administration. It calls secure page, while other page is not encrypted to lighten processor load.



So in config\App, the base url is using 'http', not 'https'. Also 'forceGlobalSecureRequest' is not enabled. That makes website using not secure page (http). When I want to send important data, I call 'forceHTTPS' and in form action, I use 'site_url('target_path','https').

On my login and user administration pages, which is using same controller, the user messages is passing through as flash message and passed succesfully.


However, the other secure pages, also calls forceHTTPS, the user flash messages is gone.



It turns out that the login class is extended from system Controller and called $this->forceHTTPS before calling $session = session(). The flash message is passed as intended.



On the other pages, it using controller class which extended from BaseController and called '$this->session = \Config\Services::session();' on  parent 'initController' function. However, some controller function calling $this->forceHTTPS and the flash messages is gone. This means the 'forceHTTPS' is called after $this->session = \Config\Services::session() because the session is called from parent controller function.



After I change the order, forceHTTPS before $this->session = \Config\Services::session();, the flash message passed successfully.
Reply
#2

I'm sorry guys, looks like I'm wrong about this.

The other time I starting session early doesn't remove session variable.
Also when see forceHTTPS source, it also consider when session is started. So, it should okay.

But it still mystery for me why particular controller function is redirected 3 or 2 times and session variable gets reset in the end.
Reply
#3

Simple answer use an SSL Certificate and everything will be HTTPS//
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#4

I have it. I just want to use some pages to be https.

But 2 or 3 redirection and missing session var is still mystery for me
Reply
#5

(This post was last modified: 03-29-2020, 11:45 AM by jreklund.)

(03-26-2020, 12:13 AM)anthos1984 Wrote: I have login page and user administration. It calls secure page, while other page is not encrypted to lighten processor load.

I don't have any answer to your specific problem, but there are no performance impact with HTTPS vs HTTP that can't be solved with some itsy bitsy upgrade (or non at all). We are talking about max 5% CPU increase. If you configure your server correctly.

So go full HTTPS and come back if it still loose the session. Don't know what kind of site you have your users submit any kind of data with HTTP those will be unsecured.

EDIT: With encrypted connection you can also enable HTTP 2, making your website appear faster to your users. As it allow parallel downloads.
Reply
#6

Thanks for suggestion.
I'm using shared hosting. Many times it go down. They say server has high load, and my website data has to be moved on other server in their company.
Reply
#7

Either get a new provider, with a faster server. Or better yet optimize your application utilizing cache to lighten the load.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB