Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

SSL by Page Type - new code not working


Go to End


5 Posts   2564 Views

Avatar
socks

Community Member, 191 Posts

26 October 2009 at 10:56am

Someone recently posted new code for the SSL by Page Type - http://doc.silverstripe.org/doku.php?id=ssl

That's great since the last stuff didn't work without a "please click here to redirect", but I can't get this new code to work at all and I'm getting desperate.

If I go to a page designated with forceSSL, it works, but visiting any page after that, it's still stuck in HTTPS.

FYI: I can't have SSL site wide because of a Google map.

Thanks

Avatar
dalesaurus

Community Member, 283 Posts

26 October 2009 at 12:49pm

I have been poking code around for better SSL support for my current needs with SS. I think this will help you out some. Drop this function in your Page_Controller.php:

	/**
	 * Beginnings of a patch for proper SSL on actions support
	 *
	 * Using my own over Director::forceSSL() because those functions ignore SSL
	 * when a site is in Dev mode...which makes testing SSL unmanageable.
	 */
	protected function _checkSSL() {
		$needSSL = $inSSL = $destURL = false;
		$inSSL = ( isset($_SERVER['SSL']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ) ? true : false;

		// Get static $ssl_actions and see if we need SSL
		//  How do we get the topmost $ssl_actions or do we want to inherit parents with combined_static?
		if($all_ssl_actions = Object::combined_static($this, 'ssl_actions') and is_array($all_ssl_actions) ) {
			$action = $this->getRequest()->latestParam('Action');	//  $this->getAction() always empty??
			if( in_array($action,$all_ssl_actions) or
				(in_array('index',$all_ssl_actions) and is_null($action) )	) {
				$needSSL = true;
			}
		}

		if( $needSSL and !$inSSL ){
			$destURL = str_replace('http:','https:', Director::absoluteURL($_SERVER['REQUEST_URI']));
		} elseif( !$needSSL and $inSSL ) {
			$destURL = str_replace('https:','http:', Director::absoluteURL($_SERVER['REQUEST_URI']));
		}
		// str_replace does all instances in a string, what if a URI has another url inside of it?  ie. ?backURL=http://mysssite.com/Security/login

		if( $destURL ) {
			header("Location: $destURL", true, 301);
			die('<h1>Your browser is not accepting header redirects</h1><p>Please <a href="'.$destURL.'">click here</a>');
		}
	}

Add this to your Page_Controller init() function:

	public function init() {
		parent::init();
		$this->_checkSSL();
	}

Now, to use this just add the following to any of your controllers to force SSL for the specific actions/forms you need to protect with SSL

        public static $ssl_actions = array(
                                                                                'checkout',
                                                                                'CardCheckoutForm',
                                                                                'TermsAndConditions'
                                                                        );

It isn't as good as it can be, but it is certainly a good start.

Avatar
socks

Community Member, 191 Posts

26 October 2009 at 5:49pm

Hey Saurus,

In your example, I'm not understanding what to put in the static $ssl_actions array.

I want to secure:
- all login pages (including admin)
- 2 sections that are password protected (Parent and Child pages... don't know if I apply to Parent if Child inherits or not)
- A form page outside of those sections.

I thought just the class name, but that didn't seem to work.

Avatar
dalesaurus

Community Member, 283 Posts

30 October 2009 at 5:58am

Edited: 30/10/2009 5:59am

Sorry socks, been a bit absent lately.

The way this works is by allowing you to specify which actions in a controller to enforce SSL. It will take the site out of SSL if they are on one of the actions in $ssl_actions and click to another one that is not (saving as much overhead processing as possible).

You use it just like $allowed_actions.

// in your _Controller classes

static $ssl_actions = (
                                    'child',
                                    'MyForm',
                                    'index'
                                 );

For the Security pages you'll probably just extend the Security class, adding the $ssl_actions static, then doing a Object::useCustomClass call.

Avatar
socks

Community Member, 191 Posts

31 October 2009 at 1:19pm

Edited: 31/10/2009 4:06pm

No need to be sorry...

Update:
The code at http://doc.silverstripe.org/doku.php?id=ssl did have an omission and has been updated again.

I had that example working (but not for admin and login pages), tried another solution and must have messed something up. I'm getting partially encrypted pages on everything except when logged into the Admin and on the dev/build?flush=all page.

I deleted all references to the SSL solutions, but I can't even get Director::forceSSL(); in the _config.php to properly work. Not sure what I did or how to troubleshoot.

As soon as I figure out what went wrong, I'll try both your solution and the one on the wiki again.

I figured out my partially encrypted pages were cause by referencing the jQuery file via Google and using link http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js instead of https://...

...finally getting back to trying the SSL options