Jump to:

23453 Posts in 18904 Topics by 2877 members

General Questions

SilverStripe Forums » General Questions » SSL by Page Type - new code not working

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 1863 Views
  • socks
    Avatar
    Community Member
    190 Posts

    SSL by Page Type - new code not working Link to this post

    Someone recently posted new code for the SSL by Page Type - http://doc.silverstripe.org/doku.php?id=ssl

    That's great since the last stuff didn't work without a "please click here to redirect", but I can't get this new code to work at all and I'm getting desperate.

    If I go to a page designated with forceSSL, it works, but visiting any page after that, it's still stuck in HTTPS.

    FYI: I can't have SSL site wide because of a Google map.

    Thanks

  • dalesaurus
    Avatar
    Community Member
    283 Posts

    Re: SSL by Page Type - new code not working Link to this post

    I have been poking code around for better SSL support for my current needs with SS. I think this will help you out some. Drop this function in your Page_Controller.php:

       /**
        * Beginnings of a patch for proper SSL on actions support
        *
        * Using my own over Director::forceSSL() because those functions ignore SSL
        * when a site is in Dev mode...which makes testing SSL unmanageable.
        */
       protected function _checkSSL() {
          $needSSL = $inSSL = $destURL = false;
          $inSSL = ( isset($_SERVER['SSL']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ) ? true : false;

          // Get static $ssl_actions and see if we need SSL
          // How do we get the topmost $ssl_actions or do we want to inherit parents with combined_static?
          if($all_ssl_actions = Object::combined_static($this, 'ssl_actions') and is_array($all_ssl_actions) ) {
             $action = $this->getRequest()->latestParam('Action');   // $this->getAction() always empty??
             if( in_array($action,$all_ssl_actions) or
                (in_array('index',$all_ssl_actions) and is_null($action) )   ) {
                $needSSL = true;
             }
          }

          if( $needSSL and !$inSSL ){
             $destURL = str_replace('http:','https:', Director::absoluteURL($_SERVER['REQUEST_URI']));
          } elseif( !$needSSL and $inSSL ) {
             $destURL = str_replace('https:','http:', Director::absoluteURL($_SERVER['REQUEST_URI']));
          }
          // str_replace does all instances in a string, what if a URI has another url inside of it? ie. ?backURL=http://mysssite.com/Security/login

          if( $destURL ) {
             header("Location: $destURL", true, 301);
             die('<h1>Your browser is not accepting header redirects</h1><p>Please <a href="'.$destURL.'">click here</a>');
          }
       }

    Add this to your Page_Controller init() function:

       public function init() {
          parent::init();
          $this->_checkSSL();
       }

    Now, to use this just add the following to any of your controllers to force SSL for the specific actions/forms you need to protect with SSL

    public static $ssl_actions = array(
    'checkout',
    'CardCheckoutForm',
    'TermsAndConditions'
    );


    It isn't as good as it can be, but it is certainly a good start.

  • socks
    Avatar
    Community Member
    190 Posts

    Re: SSL by Page Type - new code not working Link to this post

    Hey Saurus,

    In your example, I'm not understanding what to put in the static $ssl_actions array.

    I want to secure:
    - all login pages (including admin)
    - 2 sections that are password protected (Parent and Child pages... don't know if I apply to Parent if Child inherits or not)
    - A form page outside of those sections.

    I thought just the class name, but that didn't seem to work.

  • dalesaurus
    Avatar
    Community Member
    283 Posts

    Re: SSL by Page Type - new code not working Link to this post

    Sorry socks, been a bit absent lately.

    The way this works is by allowing you to specify which actions in a controller to enforce SSL. It will take the site out of SSL if they are on one of the actions in $ssl_actions and click to another one that is not (saving as much overhead processing as possible).

    You use it just like $allowed_actions.

    // in your _Controller classes

    static $ssl_actions = (
    'child',
    'MyForm',
    'index'
    );

    For the Security pages you'll probably just extend the Security class, adding the $ssl_actions static, then doing a Object::useCustomClass call.

  • socks
    Avatar
    Community Member
    190 Posts

    Re: SSL by Page Type - new code not working Link to this post

    No need to be sorry...

    Update:
    The code at http://doc.silverstripe.org/doku.php?id=ssl did have an omission and has been updated again.

    I had that example working (but not for admin and login pages), tried another solution and must have messed something up. I'm getting partially encrypted pages on everything except when logged into the Admin and on the dev/build?flush=all page.

    I deleted all references to the SSL solutions, but I can't even get Director::forceSSL(); in the _config.php to properly work. Not sure what I did or how to troubleshoot.

    As soon as I figure out what went wrong, I'll try both your solution and the one on the wiki again.

    I figured out my partially encrypted pages were cause by referencing the jQuery file via Google and using link http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js instead of https://...

    ...finally getting back to trying the SSL options

    1863 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.