Copy link to clipboard
Copied
Hello there: I have a SSL enabled domain and would like to direct all page views from
to
Is this possible?
Thanks
Copy link to clipboard
Copied
try this
<cffunction name="onRequestStart">
<cfif cgi.server_port NEQ 443 >
<cflocation url="https://#CGI.SERVER_NAME#">
</cfif>
</cffunction>
Copy link to clipboard
Copied
Thanks very much,
For exampIe say I put this in the top of my index page:
<cfif cgi.server_port NEQ 443 >
<cflocation url="https://#CGI.SERVER_NAME#/mmm/">
</cfif>
I get an error:
Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.
Copy link to clipboard
Copied
DONOT USE THAT CODE IN INDEX PAGE
use that code in application.cfc
<cffunction name="onRequestStart">
Copy link to clipboard
Copied
Thanks but I don't want my whole site to to redirect to SSL which if I put that in application.cfc, I think would be the case.
Copy link to clipboard
Copied
try this,
add the files you need to redirect https to "httpsfilelist"
<cffunction name="onRequestStart">
<cfset httpsfilelist= "abc.cfm,test.cf,index.cfm">
<cfif cgi.server_port NEQ 443 >
<cfif (ListContains( httpsfilelist,GetFileFromPath(CGI.SCRIPT_NAME),",")) >
<cflocation url="https://#CGI.SERVER_NAME#/index.cfm">
</cfif>
</cfif>
</cffunction>
Copy link to clipboard
Copied
I think that you might be able to do this with a rewrite rule....
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?domain\.ca$ [NC]
RewriteRule ^(.*)$ https://www.ssl_domain.ca/$1 [L,R=301]
assuming you have mod_rewriteor whatever the windows rewrite equivalent is, you can just jack that into an .htaccess - assuming again you don't need CF to be aware of/trap redirects.
-sean
Copy link to clipboard
Copied
Thanks this looks interestiung but is a bit over my head, I thought this stuff was only an apache feature
Do I just stick this in a .htaccess file in my directory /mmm/
?
Copy link to clipboard
Copied
Hi Nikos;
it's fairly straightforward, condition and rule + some regex [not the cf brand of regex]... if you are on linux/apache, yes - just jack it into an .htaccess file in your site root.
more info:http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
if you are on winblows, yes - you might be boned.... a quick google turns up:
http://ask-leo.com/does_iis_support_url_rewriting.html
which is really unfortunate as you can do some really cool things with rewrite rules.
-sean
Copy link to clipboard
Copied
I'm on IIS
Copy link to clipboard
Copied
you might just check with your hosting company, IIS does have an aspi plugin or somehting that does the mod_rewrite functionality.
But reading your post more carefully [sorry ] I see only specific pages are to be SSL, you would have to rewrite the regex for those rules to account for specific pages and probably pass any url query info along as well.
-sean
Copy link to clipboard
Copied
I'm confused, first you mentioned wanting to redirect all pages to SSL, and then said you didn't want to redirect all pages.
I redirect only specific pages to SSL, so I created a custom tag with the below code and add it to whatever pages I want to force SSL on:
<CFIF trim(cgi.server_port_secure) EQ 0>
<CFIF trim(cgi.query_string) IS "">
<CFLOCATION URL="https://#trim(cgi.server_name)##trim(cgi.script_name)#">
<CFELSEIF NOT trim(cgi.query_string) IS "">
<CFLOCATION URL="https://#trim(cgi.server_name)##trim(cgi.script_name)#?#trim(cgi.query_string)#">
</CFIF>
<CFABORT>
</CFIF>
Copy link to clipboard
Copied
I normally place the secure-pages of any application into a different sub-domain entirely. It may be served by the same server, from the same underlying software, but the sudomain name is different.
For example: http://www.mydomain.com vs. https://secure.mydomain.com.
From the browser's point of view, these are "clearly two, different sites."
This also makes the cookies distinct ... usually, an important consideration. The browser thinks of the secure site as being "clearly a different site," and the cookies of that site are distinct ... and secured. (That is to say, the browser's not supposed to serve the cookies to any other site nor to serve them without an https connection in-place.)
You see, to properly maintain security, you need to avoid introducing information from an insecure area into a secure one, or vice-versa. You need to be certain that this takes place on the client side, which you cannot control: you can (through shared databases and so forth...) control things adequately on the server(s). You do not want the two pools of client-side information to be mixed ... or mixable.