|
Forcing an SSL redirect using Coldfusion |
||||||||
I've never really coded much around individual Secure templates, but this afternoon I found myself working in a framework where certain templates were required to be called with the 'https' URL instead of standard non secure URLs.
This turns out to be incredibly easy. There is a variable in the cgi scope that tells you if the request is served under a secure port or not, cgi.server_port_secure returns true or false (1/0), so you can use it to redirect people to where they should be.
1<cfif NOT cgi.server_port_secure>
2
3 <cflocation url="https://#cgi.server_name##cgi.script_name#"
4 addtoken="false">
5
6</cfif>
2
3 <cflocation url="https://#cgi.server_name##cgi.script_name#"
4 addtoken="false">
5
6</cfif>
I've used other cgi values above as I've put this in a 'prefuseaction' function in a fusebox CFC controller file. That way all requests to any actions in that file are routed to the SSL equivalent.
TweetBacks
If this is something "important" that needs to be secure (e.g. involving payments/etc) then you should consider running a security scan against the site to check if it might be vulnerable to session fixation problems.
(Also, Jason Dean and Pete Freitag both write about security issues regularly - worth checking out their blogs if you haven't already.)
@peter luckily this platform is session free, but that is a consideration. I guess you could replicate the cookie scope using Google crossdomain code to 'bridge' from http to https.
@daz still got that issue, my resource tells me its not SSL related tho, but account file permissions, got someone on it now :-)
Need to brush up on my regex really, wonder if there is a re write 'cook book' style site.