March 11th, 2013, 12:31 PM
-
ColdFusion redirect to https for certain pages
Hello,
I'm trying to make certain pages redirect to https using ColdFusion in the application.cfm file. This works to a certain extent but the problem is when the page redirects to https the browser pops up the question wanting to know if you want to display 'All Content'.
I take it this means that there is a page or content that is not secure which is causing the browser to pop up this message. Any idea how to get around this if files are scattered all over the place and are pulled in by cfincludes, script tags in other file, etc....
I'm on CFMX7
March 11th, 2013, 02:04 PM
-
You can tell which page elements are not using HTTPS by looking at the network panel of Firebug or the Chrome dev tools.
As far as making them use HTTPS if they have HTTP hardcoded into the URL, there's no easy option. This is one reason people use relative or absolute paths rather than a full URL (e.g. "/images/myImage.jpg" instead of "http://myserver/images/myImage.jpg")
If you must have the full URL, it's typical to see an application determine the current protocol from the CGI scope at the start of a request and store it in a variable (like "currentProtocol" or whatever). Then, all images, scripts, etc. use that variable in their URLs (e.g. src="#currentProtocol#://myserver/images/myImage.jpg").
March 11th, 2013, 02:34 PM
-
What about script tags that contain JavaScript? For instance, when the site loads all the files are loaded under the protocol of http://
When the user click the sign in link a popup login page comes up that switches to https:// Once that happens the links on the login page stop working because it's controlled by Javascript which didn't switch over to the https protocol because it is contained in a different file.
March 11th, 2013, 03:13 PM
-
The same rules apply to JavaScript code: use absolute or relative URLs, and avoid hardcoding the full URL with protocol. If the full URL is required, dynamically build the URL based on the current protocol.
Unfortunately there's no magic solution for this, and it applies to every web application ever written that needs to dynamically switch between protocols.