Detecting https across Railo and ColdFusion Server

Posted on March 3, 2010 in: ColdFusion, Railo

Previously I had a way of detecting whether page requests were being made via ssl but today I came across a scenario where this doesn’t work. Let me explain…

Right now we’re looking at developing across different ColdFusion engines, “ColdFusion” of course but also “Railo”. One of the applications we had detected whether a request was being made securely (https) and if it wasn’t we turned off session management for security reasons. The basic code looked like the following snippet:

oRequest = getPageContext().getRequest();
if (oRequest.isSecure())
{
	this.sessionManagement = true;
	this.sessionTimeout = createTimeSpan(0,0,20,0);
	this.setClientCookies = true;
}
else
{
	this.sessionManagement = false;
	this.setClientCookies = false;
}

This was working all fine and dandy for ColdFusion Server, but was failing when we went to Railo (at least in the way we configure Railo). The reason was that we proxy page requests on Railo through Apache to Tomcat. This proxy is done over http regardless of the actual client request to the server. I guess the reason for this is that Apache to Tomcat is considered part of your secure (server) network. What was happening was that isSecure() was coming back false, because of this proxy request.

Mark came up with a cool solution for this. We simply add a custom header in the Apache conf file.

RequestHeader set https on

All this does is set a value into the header which we can pickup via the CGI scope, i.e. CGI.https

Now this key (https) already exists on ColdFusion server and will be blank for http requests and “on” for https requests. This is the reason we set the custom header value to “on” in the Railo vhost, so our application code is easily compatible across the two ColdFusion engines.

So now we just have a simple function to detect ssl requests:

<cffunction name="isRequestSecure" access="public" output="false" returnType="boolean">

	<cfset var secure = false>

	<cfif cgi.https EQ "on">
		<cfset secure = true>
	</cfif>

	<cfreturn secure>
</cffunction>

Now we can easily call isRequestSecure() which will be either true or false. Nice :)

Don’t forget that the CGI scope is kind of “magic”, in that we won’t ever need to param a key in that struct (like CGI.https).

No Comments

cfhttp issues using “.local” on Max OSX

Posted on January 19, 2010 in: ColdFusion

Ran into an interesting problem today doing something quite simple. Basically all I was doing was posting xml data to a URL, but I kept getting a 408 request timeout and I didn’t know why.

We happen to use the “.local” domain name structure for local development. I was posting data from one local site to another e.g.

http://mysite1.local -> http://mysite2.local

When I dumped cfhttp on the posting page I got the following error:

cfhttp

Now I hadn’t come across this error before with cfhttp and nothing I did fixed the issue, I even got that message using a “GET” method. It wasn’t till I tried “GET” from a public domain (http://www.google.com, which worked) that I thought to try a local domain which didn’t use “.local”.

Success!

Mark mentioned that it could be a problem with Bonjour (as I’m on a Mac) which uses .local.

This is kinda timely as we’re moving away from the “.local” convention in favour of “.cf7″, “.cf9″, “.railo” etc as we’re using multiple cfmx engines for different projects and that provides a way to easily test codebases against different engines easily.

No Comments

BrowserLab live on adobe.com

Posted on October 30, 2009 in: Misc, Tools

I’m probably a bit behind the times with this one, but Adobe have added “BrowserLab” functionality to “preview and test your web pages on leading browsers and operating systems – on demand“.

Seems to work like other paid services, but is free :)

https://browserlab.adobe.com/

Available browser options (across mac and windows) include:

  • IE 6/7/8
  • Firefox 2/3
  • Safari 3/4

michaelsharman.com

2 Comments

Extracting URL variables using JavaScript

Posted on October 28, 2009 in: Javascript

Server side languages are cool in that they give you a nice associative array to access URL variables. ColdFusion has the URL scope, PHP has $_GET[] etc, but how do you get these values easily with JavaScript?

I came across a post over at Jake Munson’s blog which had just what I needed. Actually although Jakes solution was perfectly valid, I preferred a slight modification from one of the commenters which wrapped the entire URL string into an associative array so you can access the entire URL scope, as well as extracting a specific value via a key. Thanks Chad (and Jake).

So if you had a URL like http://www.mysite.com/?s=the first param&email=someone@me.com you could get the following:

jsdump

Here is the javascript function (note that we wrap all functions into objects to avoid any naming collisions, hence the “Learnosity.” convention):

Learnosity.getURL = function()
{
	document.getVars = [];
	var urlHalves = String(document.location).split('?');
	if(urlHalves[1])
	{
		var urlVars = urlHalves[1].split('&');
		for(var i=0; i<=(urlVars.length); i++)
		{
			if(urlVars[i])
			{
				var urlVarPair = urlVars[i].split('=');
				document.getVars[urlVarPair[0]] = urlVarPair[1];
			}
		}
	}
	return document.getVars;
}

To access the “email” key in the URL, simply call 

Learnosity.getURL().email;

Another modification which I added was to unescape any strings, so removing things like %20 (a space character) that might be in the URL value. The following will automatically unescape all values, if this isn’t what you want you can pass “false” to the function (i.e. Learnosity.getURL(false);)

Learnosity.getURL = function(unesc)
{
	clean = (unesc === undefined)?true:unesc;
	document.getVars = [];
	var urlHalves = String(document.location).split('?');
	if(urlHalves[1])
	{
		var urlVars = urlHalves[1].split('&');
		for(var i=0; i<=(urlVars.length); i++)
		{
			if(urlVars[i])
			{
				var urlVarPair = urlVars[i].split('=');
				document.getVars[urlVarPair[0]] = (clean)?unescape(urlVarPair[1]):urlVarPair[1];
			}
		}
	}
	return document.getVars;
}
1 Comment

Firefox changing default download location?

Posted on August 15, 2009 in: Misc

Hmm it seems firefox (Windows) 3.5.2 has decided to change the default location for downloading files. Used to be the desktop, but if you suddenly discover that you can’t find things you’ve download you might want to head to Tools->Options in firefox.

If you see “Downloads” as the chosen folder (as below), you can change it back to the desktop.

ffdownload

Safari (at least on the Mac) also annoyingly places files there.

2 Comments