I normally place the secure-pages of any application into a different sub-domain entirely. It may be served by the same server, from the same underlying software, but the sudomain name is different.

For example: http://www.mydomain.com vs. https://secure.mydomain.com.

From the browser's point of view, these are "clearly two, different sites."

This also makes the cookies distinct ... usually, an important consideration. The browser thinks of the secure site as being "clearly a different site," and the cookies of that site are distinct ... and secured. (That is to say, the browser's not supposed to serve the cookies to any other site nor to serve them without an https connection in-place.)

You see, to properly maintain security, you need to avoid introducing information from an insecure area into a secure one, or vice-versa. You need to be certain that this takes place on the client side, which you cannot control: you can (through shared databases and so forth...) control things adequately on the server(s). You do not want the two pools of client-side information to be mixed ... or mixable.

C

christopherkowalski

Inspiring

I'm confused, first you mentioned wanting to redirect all pages to SSL, and then said you didn't want to redirect all pages.

I redirect only specific pages to SSL, so I created a custom tag with the below code and add it to whatever pages I want to force SSL on:

A

Anonymous

I think that you might be able to do this with a rewrite rule....

RewriteEngine On

RewriteCond %{HTTP_HOST} ^(www\.)?domain\.ca$ [NC]

RewriteRule ^(.*)$ https://www.ssl_domain.ca/$1 [L,R=301]

assuming you have mod_rewriteor whatever the windows rewrite equivalent is, you can just jack that into an .htaccess - assuming again you don't need CF to be aware of/trap redirects.

-sean

nikos101Author

Inspiring

Thanks this looks interestiung but is a bit over my head, I thought this stuff was only an apache feature

Do I just stick this in a .htaccess file in my directory /mmm/

?

A

Anonymous

Hi Nikos;

it's fairly straightforward, condition and rule + some regex [not the cf brand of regex]... if you are on linux/apache, yes - just jack it into an .htaccess file in your site root.

more info:http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

if you are on winblows, yes - you might be boned.... a quick google turns up:

http://ask-leo.com/does_iis_support_url_rewriting.html

which is really unfortunate as you can do some really cool things with rewrite rules.

-sean

Dileep_NR

Inspiring

try this

</cfif>

</cffunction>

nikos101Author

Inspiring

Thanks very much,

For exampIe say I put this in the top of my index page:

</cfif>

I get an error:

Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.

Dileep_NR

Inspiring

DONOT USE THAT CODE IN INDEX PAGE

use that code in application.cfc

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded