Detecting and redirecting http to https

There was a recent thread on the mach-ii mailing list where a user wanted to detect whether a request was being made via http or https.

This is quite a common step developers take when working on a site with secure (SSL) and non-secure areas. As the list is mach-ii there are a couple of obvious framework specific options to take, those being Filters and Plugins. Although Peter Farrel does have an sslPlugin available, I liked the approach put forward by Matt Osbun:

<cfif Compare(cgi.SERVER_PORT,443)>
	<cflocation url="https://#cgi.server_name##cgi.path_info#?#cgi.query_string#" addtoken="false"/>
</cfif>

Now I know a lot of people don’t like using CGI scoped variables, even the more common ones, so I thought I’d try it out with getPageContext().

<!--- set up the getRequest method for easy access --->
<cfset oRequest = getPageContext().getRequest() />

<cfif compare(oRequest.getServerPort(), 443)>
	<cflocation url="https://#oRequest.getServerName()##oRequest.getRequestURI()#?#oRequest.getQueryString()#" addtoken="false" />
</cfif>

As you can see it’s a little bit longer, but I believe is a safer option than relying on CGI variables.

A slight modification (using getRequest()) is testing the isSecure() which “Returns true if this protocol is secure“:

<!--- set up the getRequest method for easy access --->
<cfset oRequest = getPageContext().getRequest() />

<cfif NOT oRequest.isSecure()>
	<cflocation url="https://#oRequest.getServerName()##oRequest.getRequestURI()#?#oRequest.getQueryString()#" addtoken="false" />
</cfif>

I’m still (slowly) making my way through getPageContext(), it can provide an absolute wealth of knowledge for the ColdFusion programmer. You can view the 1.4 pagecontext docs here and the servletrequest docs here.

Post a Comment or Leave a Trackback

14 Comments

  1. July 21, 2007 at 4:24 pm | Permalink

    Nice post! I love the .isSecure() function a lot – who hasn’t had to deal with this scenario.

    I have been trying to explore the GetPageContext() also. You might want to see what I have so far:

    http://www.bennadel.com/index.cfm?dax=blog:758.view

    I have not gone through the GetRequest() object yet (although I do use the GetRquestURL() string buffer sometimes).

    Anyway, now I want to go and jump into it again :)

  2. July 22, 2007 at 10:38 pm | Permalink

    Thanks Ben, wow you’ve certainly been exploring getPageContext() hehe!

    Excellent :)

  3. Nienna
    April 3, 2008 at 3:12 am | Permalink

    Thank you! this really helped me with a problem

  4. April 27, 2008 at 9:26 pm | Permalink

    thanked post

  5. May 19, 2009 at 1:02 pm | Permalink

    thanks:but

    sticks me in an infinite loop

  6. May 19, 2009 at 1:03 pm | Permalink

    the 3rd piece of code puts me in an infinite loop

  7. May 20, 2009 at 4:18 am | Permalink

    @Nikos – Not sure if this page was caching on an old draft, the 3rd example works fine but you should check that you have

    cfif NOT oRequest.isSecure()

    Note the “isSecure()”

  8. May 20, 2009 at 8:41 am | Permalink

    Yeah I’ve put cfif NOT oRequest.isSecure() in but I still get the same problem.

    I’ve also cleared my browser cache

  9. May 20, 2009 at 9:37 am | Permalink

    Not sure what I can tell you except I have it running in multiple production sites! Here is a slightly different version…from a live site:

    Inside onRequestStart()
    ——————————————
    <cfscript>
    oRequest = getPageContext().getRequest();
    request.isSecure = oRequest.isSecure();
    </cfscript>

    Inside a shopping cart page
    ——————————————
    <cfif NOT request.isSecure>
    <cflocation url=”#application.config.httpsURL#” addtoken=”false”>
    </cfif>

  10. November 19, 2009 at 2:46 pm | Permalink

    Thanks for this, worked great to redirect some login pages.

  11. September 3, 2010 at 10:11 pm | Permalink

    What’s the performance hit on this? I’d like to detect whether the connection is secure, and if it is, import the secure Google Analytics code, and if it’s not secure, import the regular code.

    Is this the best way to do it? I imagine the server will be checking for security when every page loads, and that sounds a bit resource-intensive.

  12. September 8, 2010 at 10:26 pm | Permalink

    @Ragdoll – in my example above the performance hit would be tiny, nothing I would ever worry about as it’s really just checking the value of existing variables. That being said we had issues recently using this snippet on railo, but we had a workaround for that.

    In your case I’d always load GA code (the new code inside the header) using the example that Google provides. Let them worry about if/when the site is being accessed securely or not.

  13. December 16, 2010 at 5:23 pm | Permalink

    Michael, great post! This came in very handy for me today when I as in a bind. Pulled it up via Google keyword search and it worked like a charm. I owe you a coffee.

  14. November 8, 2011 at 5:34 pm | Permalink

    I like your method much better than using CGI variables. It might be one or two more lines of code but I feel it’s worth it because it gives you more control over the redirect. Nice work. :)

One Trackback

  1. [...] I had a way of detecting whether page requests were being made via ssl but today I came across a scenario where this doesn’t work. Let me [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*