sending users to https version of <form>

Dax Trajero wrote: It would be great if the logic could check if the application is running in my dev environment eg. localhost / 127.0.0.1

Play with a <cfdump var="#cgi#"> to see what the web server tells you about itself.  Using some of the values provided there, you should be able to create a branch in your logic to determine if you are on the local host or production server.

But, to your origianl point.  HTTP and HTTPS are two differen web servers, thus each will end up with their own and seperate application and session scopes.  If you want your forms to be https, I would suggest just making the entire web site https.  It is really not that hard if you are hosting your own servers, but it might be more difficult if you are using a shared hosting provider.

The biggest limitation with HTTPS is that their can only be one https web site on any givien physical web server.  This is because the https hand shake must occure before host headers are resolved, thus it is not possible to have multiple https web sites on the same ip address.

So what you're saying is, if the forms have to be HTTPS (which I think is advisable given they'll hold user addresses, etc..) then I'll lose any application variables when performaing a switch from the HTTP site to the HTTPS site ?

So with that in mind, I'll have to make the whole site HTTPS - is this normal for a site of this kind (user addresses, etc...) are there any performance implications to this ?

Also is there a simple way to achieve this, in the application.cfc ?

I'm going to try that cfdump now to see if I can identify something specifc to my testing server and perhaps use it in whatever solution I go with to make the whole site https

I think if you write a secure version of the CFID & CFTOKEN (or JSESSIONID) cookies with the same values, your application space & sessions will

remain the same.

Best to check this though.

--

Adam

And rather than reinventing the wheel, try googling "coldfusion sessions http https" and see what issues other people have had and how to resolve them.

--

Adam

I'll check that out now Adam, thanks.

Cannot afford to have the whole site HTTPS as can't cope with the performance drop - if its as you say , an order of MAGNITUDE

Will look into the alternative you mention with CFID, etc... This sounds promising, if it works.

Surely it should be built into Coldfusion's scope to cope with switching to a secure (https) form and NOT lose applicaiton and session vars ? I would've thought it a frequent used process ?

Dax Trajero wrote: So what you're saying is, if the forms have to be HTTPS (which I think is advisable given they'll hold user addresses, etc..) then I'll lose any application variables when performaing a switch from the HTTP site to the HTTPS site ?

Well, not lose exactly.  You will just have two sperate and distinct sets that can not easily share.  There would be an HTTP set that would be accessible whenever the code is in the HTTP version and an HTTPS version that would be accessible whenever in the HTTPS code.  Session scope variable are tied to the the application and the application is tied to the web site.  Thus different web sites will have different applications which will then have different session, IIRC.  If I'm wrong Adam, Dan or somebody should be along soon to correct me.

Dax Trajero wrote: So with that in mind, I'll have to make the whole site HTTPS - is this normal for a site of this kind (user addresses, etc...) are there any performance implications to this ? Also is there a simple way to achieve this, in the application.cfc ?

It might be a bit overkill for just basic address information that is pretty public information anyway, after all most of us publish it in very public phone books.  But if you feel you have something more personal or just want the feel good sensation of using HTTPS it isn't that hard to do.  But it is done at the web server level.  So you would set it up in your IIS or Apache or whatever you are using for your web server.  Thus ColdFusion and Application.cfc would have nothing to do with this.

I would suggest just making the entire web site https.  It is really not that hard if you are hosting your own servers, but it might be more difficult if you are using a shared hosting provider.

HTTPS is much much slower than HTTP - I forget the figures, but it's best measured in orders of magnitude than a linear sort of comparison - so I would advise against this.

--
Adam

Really, I've never heard this.  Do you have links to more information handy?

I was doing a Zeus ZXTM Administrator's course years ago (skills I never used, so have forgotten), and they covered the performance benefits of Zeus' web server over Apache.  One of the things they covered was the comparison between both on HTTP & HTTPS... Zeus smoked Apache, but also interesting was how many fewer HTTPS requests either was able to perform per sec.  The encryption HTTPS uses is reasonably full-on (and encryption is never quick), and HTML docs can get quite large, so that all adds up.

There's a reason sites only switch in to HTTPS when they have to...

Maybe have a sniff around the Zeus website.

--

Adam

Darn, you locked my message before I could update it.

Some interesting reading from the first result of an search

http://stackoverflow.com/questions/149274/http-vs-https-performance

According to this, on modern systems, the encryption is pretty lite.  It is the initial handshake that can really slow things down.  Thus it is dependant on the user usage profile on how much impact https would have on a given application.

Adam Cameron. wrote: There's a reason sites only switch in to HTTPS when they have to...

I always thought the biggest reason was that one could only have one HTTPS web site per physical server-IP Address.  Thus it is much harder to distribute the server's physical resources over multiple web sites with HTTPS.

Just checked - I uploaded a test page which display the session UUID

I viewed the page at

http://www.mysite.com/test.cfm

and

https://www.mysite.com/test.cfm

and the same value was given eg. no loss of session variable ?

Yes, if the value does not change then it is the same session.

Looks like if the domain is exactly the same then it can work as you desire.  That is often not the case with https.  Web servers are often configured to use a different domain for the https connection which would lead to a different set of applciation and session scopes.

Well, it looks like my problem is solved!!!

I just issue some logic on my form page. I googled this:

I think you may want the oposite of that.

If I am reading that branch logic correctly.  That will relocate a request that is on HTTPS to a normal HTTP reqeust.

I agree

He goes on to evolve the code for people who don't like CGI vars...

<cfset oRequest = getPageContext().getRequest() />

how's this ?

<cfif CGI.HTTP_HOST NEQ "localhost" AND cgi.server_port NEQ 443>

<cflocation url="https://www.mysite.com/form.cfm" addtoken="no">

</cfif>

So that appears to work BUT now when you click out of the form, it keeps you on the HTTPS: site (slowing performance allegedly)

So do I now need a cflocation on EACH remaining page with logic similar to above taking you to the HTTP site  ?

Looks good, I think.

My internet host says the reason why the session vars survive the move from HTTP to HTTPS is the way Coldfusion server is configured

"the default storage mechanism for client session data on our shared servers uses a sql database"

Thanks Ian. Great info.

Something I've noticed - if I have two pages, form.cfm and form_result.cfm

I must have both pages in HTTP or both in HTTPS in order for the form_result to display the contents of the form

This has implications for my shoppingCart which is a single page which reads various forms and responds accordingly

add product

remove product

update cart

remove cart

checkout

so for any page sending form data to the shopping cart, I must ensure it's in HTTPS

or

create a separate checkout.cfm page (which is the only reason I need the https, to record people's addresses)