Comments on: Forcing SSL and HTTPS with Redirects on Symfony 1.2

By: Alaattin Kahramanlar

Alaattin Kahramanlar — Tue, 04 May 2010 12:18:11 +0000

Ajax requests doesn't accept redirects, therefore I added following snippet at the beginning of the class.

// Exclude ajax requests.
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
{
$filterChain->execute();
return;
}

By: nicoonee

nicoonee — Mon, 15 Feb 2010 18:34:02 +0000

There is some mistake in Line 21 should be:
$modules = sfConfig::get(‘app_ssl_secure_actions’);

By: quoc

quoc — Mon, 18 Jan 2010 21:01:49 +0000

i am wondering what additional security benefits are being achieved which this plugin redirecting.

If the form data is first submitted over http (in clear text) than redirects to https, we are already sending sensitive data over the net in the first round trip.

By: Michael

Michael — Tue, 12 Jan 2010 12:32:04 +0000

Hi Graham,

sorry. I didn’t know enough about symfony filters. I needed to place the configuration for the sslFilter before execution filter in the filters.yml file.

Thanks for the great post.

Regards,
Michael

By: Michael

Michael — Tue, 12 Jan 2010 05:29:10 +0000

Hi Graham,

I installed your filter as instructed, but from looking at the logs, it doesn’t seem to be executing.
Do you have any ideas on what I might be doing wrong?

Thanks,
Michael

By: Nathan

Nathan — Mon, 07 Dec 2009 20:00:44 +0000

@Ruddy: I experienced this as well and would suggest to the author to expand this filter to accomodate per-module “strict” options.

In the mean time, I made a small change to the filter to make an exception for my 404 module/action combination:

This:
if ($only_explicit && $is_secure && !$listed) {

Becomes this:
if ($only_explicit && $is_secure && !$listed) && !($module_name == ‘my404module’ && $action_name == ‘my404action’)) {

By: Ruddy

Ruddy — Mon, 19 Oct 2009 07:33:22 +0000

This stuff can cause an infinite loop if :
- you use forward404 in a secure action
- you overwrite your 404 action to home/error404 for example which is not secure…

We really need to have the strict option there but have to be able to setup a strict option per module also instead of a global setting.
So, I can have strict=false for home/error404 which needs to be display in secure and non-secure fashion

By: j.org

j.org — Thu, 01 Oct 2009 11:06:39 +0000

I am facing the same task currently and this post helps me a lot (and also Jesteps). But I’m wondering whether there’s a automatic way to include additional behaviour to the provided redirection solution (which is fine for directly typed links and so on). Specifically I really would like to have urls generated with the url_for, link_to helper group to automatically reference the https protocol depending on the given application configuration.

I read about hacks been applied to older versions of symfony achieving this, but I guess there has to be a proper way of overloading gen_url.

This way the mentioned problem regarding post requests (on login forms for example) wouldn’t occur, given that the “action” attribute was generated with one of the said methods.

Best regards

By: Graham Christensen

Graham Christensen — Wed, 02 Sep 2009 01:54:16 +0000

Unfortunately, as far as I know it isn’t possible to re-send the POST information. Since it is a POST request and not a GET request, they can’t be passed through the URL. Also, the sfSslRequirementPlugin for Symfony, also didn’t implement this feature. as far as I can tell. Although, if you find a way to address that issue – please let me know.

Good catch, I hadn’t even thought about that.

Graham

By: Jestep

Jestep — Tue, 01 Sep 2009 23:46:42 +0000

One thing that I didn’t address in my script, and it looks like isn’t covered in yours either, was if POST requests are redirected. Since the post variables wont get forwarded to the secure version of the page, it’s possible to cause some major usability problems.