Skip to main content
D
Dax_Trajero
Inspiring
June 17, 2010
Answered

sending users to https version of <form>

  • June 17, 2010
  • 1 reply
  • 2752 views

So I've never used https before (our payment gateway handles it)

However I WOULD like to implement https:// across the site whenever the user fills in a form. What's the best way to do this ?

eg.

If I have a form on this page, contact.cfm , I'd normally link to it using src="form.cfm"

Would I now link to it with src="https://www.mysite.com/form.cfm" ?

Thinking ahead, everytime I upload the site, I'll need to change this link from form.cfm (my dev environment) to the https link - is there anyway around this ?

This topic has been closed for replies.
Correct answer ilssac

My internet host says the reason why the session vars survive the move from HTTP to HTTPS is the way Coldfusion server is configured

"the default storage mechanism for client session data on our shared servers uses a sql database"


It is always disapointing that so many web hosting providers who offer ColdFusion do not actually understand the product.

The client scope and the session scope are two different things.

It is good that your hosting service has configured their system to store client data in the database rather then the registry (the default) or cookies.  But as far as I know, you are not using any client scope variables.

Session scope variables always live in RAM.  The factor that matters here is the cookies (CFID and CFTOKEN or JSESSIONID) that are sent between the server and the client so that the server can know which session variables belong to which clients.  The way cookies work, is that they are associated with a specific domain name, thus if your https site uses a different domain (a pretty common configuration), then it will have different cookies which means different session scopes.

1 reply

D
Dax_TrajeroAuthor
Inspiring
June 17, 2010

Just thought - I'm using application, session variables - so I don't want any disruption to those if I can help it.

Perhaps on the form page, start with some kind of logic and use of cflocation ?

It would be great if the logic could check if the application is running in my dev environment eg. localhost / 127.0.0.1

ilssac
ilssac
Inspiring
June 17, 2010

Dax Trajero wrote:

It would be great if the logic could check if the application is running in my dev environment eg. localhost / 127.0.0.1

Play with a <cfdump var="#cgi#"> to see what the web server tells you about itself.  Using some of the values provided there, you should be able to create a branch in your logic to determine if you are on the local host or production server.

But, to your origianl point.  HTTP and HTTPS are two differen web servers, thus each will end up with their own and seperate application and session scopes.  If you want your forms to be https, I would suggest just making the entire web site https.  It is really not that hard if you are hosting your own servers, but it might be more difficult if you are using a shared hosting provider.

The biggest limitation with HTTPS is that their can only be one https web site on any givien physical web server.  This is because the https hand shake must occure before host headers are resolved, thus it is not possible to have multiple https web sites on the same ip address.

D
Dax_TrajeroAuthor
Inspiring
June 17, 2010

So what you're saying is, if the forms have to be HTTPS (which I think is advisable given they'll hold user addresses, etc..) then I'll lose any application variables when performaing a switch from the HTTP site to the HTTPS site ?

So with that in mind, I'll have to make the whole site HTTPS - is this normal for a site of this kind (user addresses, etc...) are there any performance implications to this ?

Also is there a simple way to achieve this, in the application.cfc ?

I'm going to try that cfdump now to see if I can identify something specifc to my testing server and perhaps use it in whatever solution I go with to make the whole site https

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices