21305 Posts in 5736 Topics by 2603 members
|
Page:
1
|
Go to End | |
| Author | Topic: | 1575 Views |
-
SSL by Page Type - new code not working
26 October 2009 at 10:56am
Someone recently posted new code for the SSL by Page Type - http://doc.silverstripe.org/doku.php?id=ssl
That's great since the last stuff didn't work without a "please click here to redirect", but I can't get this new code to work at all and I'm getting desperate.
If I go to a page designated with forceSSL, it works, but visiting any page after that, it's still stuck in HTTPS.
FYI: I can't have SSL site wide because of a Google map.
Thanks
-
Re: SSL by Page Type - new code not working
26 October 2009 at 12:49pm
I have been poking code around for better SSL support for my current needs with SS. I think this will help you out some. Drop this function in your Page_Controller.php:
/**
* Beginnings of a patch for proper SSL on actions support
*
* Using my own over Director::forceSSL() because those functions ignore SSL
* when a site is in Dev mode...which makes testing SSL unmanageable.
*/
protected function _checkSSL() {
$needSSL = $inSSL = $destURL = false;
$inSSL = ( isset($_SERVER['SSL']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ) ? true : false;// Get static $ssl_actions and see if we need SSL
// How do we get the topmost $ssl_actions or do we want to inherit parents with combined_static?
if($all_ssl_actions = Object::combined_static($this, 'ssl_actions') and is_array($all_ssl_actions) ) {
$action = $this->getRequest()->latestParam('Action'); // $this->getAction() always empty??
if( in_array($action,$all_ssl_actions) or
(in_array('index',$all_ssl_actions) and is_null($action) ) ) {
$needSSL = true;
}
}if( $needSSL and !$inSSL ){
$destURL = str_replace('http:','https:', Director::absoluteURL($_SERVER['REQUEST_URI']));
} elseif( !$needSSL and $inSSL ) {
$destURL = str_replace('https:','http:', Director::absoluteURL($_SERVER['REQUEST_URI']));
}
// str_replace does all instances in a string, what if a URI has another url inside of it? ie. ?backURL=http://mysssite.com/Security/loginif( $destURL ) {
header("Location: $destURL", true, 301);
die('<h1>Your browser is not accepting header redirects</h1><p>Please <a href="'.$destURL.'">click here</a>');
}
}Add this to your Page_Controller init() function:
public function init() {
parent::init();
$this->_checkSSL();
}Now, to use this just add the following to any of your controllers to force SSL for the specific actions/forms you need to protect with SSL
public static $ssl_actions = array(
'checkout',
'CardCheckoutForm',
'TermsAndConditions'
);
It isn't as good as it can be, but it is certainly a good start. -
Re: SSL by Page Type - new code not working
26 October 2009 at 5:49pm
Hey Saurus,
In your example, I'm not understanding what to put in the static $ssl_actions array.
I want to secure:
- all login pages (including admin)
- 2 sections that are password protected (Parent and Child pages... don't know if I apply to Parent if Child inherits or not)
- A form page outside of those sections.I thought just the class name, but that didn't seem to work.
-
Re: SSL by Page Type - new code not working
30 October 2009 at 5:58am Last edited: 30 October 2009 5:59am
Sorry socks, been a bit absent lately.
The way this works is by allowing you to specify which actions in a controller to enforce SSL. It will take the site out of SSL if they are on one of the actions in $ssl_actions and click to another one that is not (saving as much overhead processing as possible).
You use it just like $allowed_actions.
// in your _Controller classes
static $ssl_actions = (
'child',
'MyForm',
'index'
);For the Security pages you'll probably just extend the Security class, adding the $ssl_actions static, then doing a Object::useCustomClass call.
-
Re: SSL by Page Type - new code not working
31 October 2009 at 1:19pm Last edited: 31 October 2009 4:06pm
No need to be sorry...
Update:
The code at http://doc.silverstripe.org/doku.php?id=ssl did have an omission and has been updated again.I had that example working (but not for admin and login pages), tried another solution and must have messed something up. I'm getting partially encrypted pages on everything except when logged into the Admin and on the dev/build?flush=all page.I deleted all references to the SSL solutions, but I can't even get Director::forceSSL(); in the _config.php to properly work. Not sure what I did or how to troubleshoot.As soon as I figure out what went wrong, I'll try both your solution and the one on the wiki again.I figured out my partially encrypted pages were cause by referencing the jQuery file via Google and using link http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js instead of https://...
...finally getting back to trying the SSL options
| 1575 Views | ||
|
Page:
1
|
Go to Top |
