#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    20
    Rep Power
    0

    ColdFusion redirect to https for certain pages


    Hello,

    I'm trying to make certain pages redirect to https using ColdFusion in the application.cfm file. This works to a certain extent but the problem is when the page redirects to https the browser pops up the question wanting to know if you want to display 'All Content'.

    I take it this means that there is a page or content that is not secure which is causing the browser to pop up this message. Any idea how to get around this if files are scattered all over the place and are pulled in by cfincludes, script tags in other file, etc....

    I'm on CFMX7
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,243
    Rep Power
    967
    You can tell which page elements are not using HTTPS by looking at the network panel of Firebug or the Chrome dev tools.

    As far as making them use HTTPS if they have HTTP hardcoded into the URL, there's no easy option. This is one reason people use relative or absolute paths rather than a full URL (e.g. "/images/myImage.jpg" instead of "http://myserver/images/myImage.jpg")

    If you must have the full URL, it's typical to see an application determine the current protocol from the CGI scope at the start of a request and store it in a variable (like "currentProtocol" or whatever). Then, all images, scripts, etc. use that variable in their URLs (e.g. src="#currentProtocol#://myserver/images/myImage.jpg").
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    20
    Rep Power
    0
    What about script tags that contain JavaScript? For instance, when the site loads all the files are loaded under the protocol of http://

    When the user click the sign in link a popup login page comes up that switches to https:// Once that happens the links on the login page stop working because it's controlled by Javascript which didn't switch over to the https protocol because it is contained in a different file.
  6. #4
  7. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,243
    Rep Power
    967
    The same rules apply to JavaScript code: use absolute or relative URLs, and avoid hardcoding the full URL with protocol. If the full URL is required, dynamically build the URL based on the current protocol.

    Unfortunately there's no magic solution for this, and it applies to every web application ever written that needs to dynamically switch between protocols.

IMN logo majestic logo threadwatch logo seochat tools logo