SSL enabled domain - redirect to https

Report · Jul 20, 2009

Hello there: I have a SSL enabled domain and would like to direct all page views from

http://www.mydomain.com

to

https://www.mydomain.com

Is this possible?

Thanks

Report · Jul 20, 2009

try this

</cfif>

</cffunction>

Report · Jul 20, 2009

Thanks very much,

For exampIe say I put this in the top of my index page:

</cfif>

I get an error:

Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.

Report · Jul 20, 2009

DONOT USE THAT CODE IN INDEX PAGE

use that code in application.cfc

Report · Jul 20, 2009

Thanks but I don't want my whole site to to redirect to SSL which if I put that in application.cfc, I think would be the case.

Report · Jul 20, 2009

try this,

add the files you need to redirect https to "httpsfilelist"

</cfif>

</cffunction>

Report · Jul 20, 2009

I think that you might be able to do this with a rewrite rule....

RewriteEngine On

RewriteCond %{HTTP_HOST} ^(www\.)?domain\.ca$ [NC]

RewriteRule ^(.*)$ https://www.ssl_domain.ca/$1 [L,R=301]

assuming you have mod_rewriteor whatever the windows rewrite equivalent is, you can just jack that into an .htaccess - assuming again you don't need CF to be aware of/trap redirects.

-sean

Report · Jul 20, 2009

Thanks this looks interestiung but is a bit over my head, I thought this stuff was only an apache feature

Do I just stick this in a .htaccess file in my directory /mmm/

?

Report · Jul 20, 2009

Hi Nikos;

it's fairly straightforward, condition and rule + some regex [not the cf brand of regex]... if you are on linux/apache, yes - just jack it into an .htaccess file in your site root.

more info:http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

if you are on winblows, yes - you might be boned.... a quick google turns up:

http://ask-leo.com/does_iis_support_url_rewriting.html

which is really unfortunate as you can do some really cool things with rewrite rules.

-sean

Report · Jul 20, 2009

I'm on IIS

Report · Jul 20, 2009

you might just check with your hosting company, IIS does have an aspi plugin or somehting that does the mod_rewrite functionality.

But reading your post more carefully [sorry ] I see only specific pages are to be SSL, you would have to rewrite the regex for those rules to account for specific pages and probably pass any url query info along as well.

-sean

Report · Jul 21, 2009

I'm confused, first you mentioned wanting to redirect all pages to SSL, and then said you didn't want to redirect all pages.

I redirect only specific pages to SSL, so I created a custom tag with the below code and add it to whatever pages I want to force SSL on:

Report · Jul 22, 2009

I normally place the secure-pages of any application into a different sub-domain entirely. It may be served by the same server, from the same underlying software, but the sudomain name is different.

For example: http://www.mydomain.com vs. https://secure.mydomain.com.

From the browser's point of view, these are "clearly two, different sites."

This also makes the cookies distinct ... usually, an important consideration. The browser thinks of the secure site as being "clearly a different site," and the cookies of that site are distinct ... and secured. (That is to say, the browser's not supposed to serve the cookies to any other site nor to serve them without an https connection in-place.)

You see, to properly maintain security, you need to avoid introducing information from an insecure area into a secure one, or vice-versa. You need to be certain that this takes place on the client side, which you cannot control: you can (through shared databases and so forth...) control things adequately on the server(s). You do not want the two pools of client-side information to be mixed ... or mixable.