[coldbox:3.8.1.00076] SSL interceptor not working

Communities ColdBox HMVC
1

I’ve tried to use the SSL interceptor from forgebox and I only receive redirect loop errors. I dug through a lot of code and I must be misunderstanding something because, as written, I don’t believe the SSL interceptor actually does anything.

Here’s the “meat” of the redirection from the SSL.cfc that I downloaded from forgebox:

if( !isSSL && isSSLRequired(event) ){
setNextEvent(uri=cgi.script_name & cgi.path_info,ssl=true,statusCode=302,queryString=cgi.query_string);
}
// Check if in SSL and NO SSL Required
else if( isSSL && !isSSLRequired(event) ){
setNextEvent(uri=cgi.script_name & cgi.path_info,ssl=false,statusCode=302,queryString=cgi.query_string);
}

Notice how setNextEvent uses the URI argument.

I then examined the “setNextEvent” function in coldbox/system/web/Controller.cfc and there is a switch statement used to build up the relocationURL. Here is its code:

// URI relative relocations
case “URI” : {
relocationURL = arguments.URI;
// Query String?
if( len(trim(arguments.queryString)) ){ relocationURL = relocationURL & “?#arguments.queryString#”; }
break;
}

You’ll notice that it does nothing based upon the SSL argument. So, I’m wondering where I’ve gone wrong in trying to implement the SSL interceptor. My reading of the code is that it’ll simply redirect to the same page and make no change based upon the SSL argument which leads to redirection loops.

Therefore, I would propose that the setNextEvent calls be rewritten to use URL instead of URI (which is probably easier than rewriting a core function of coldbox to build up an URL using the URI and SSL arguments).

You could, in SSL.cfc, write:

setNextEvent(url=“http://” & cgi.server_name & cgi.script_name & cgi.path_info, ssl=true, statusCode=302, queryString=cgi.query_string);

If you look closely at Controller.cfc, all the ssl=true flag does is perform a string replace on the relocationURL variable and swaps “http:” for “https:”. With a relative URL, “http:” doesn’t exist.

Because this interceptor has been out for years, I feel like I can’t be the first person to notice this, so I must be missing something. Thanks for your help!

2

Thanks to Jonathan Perret who emailed me a fix to the guts of the SSL.cfc

if( !isSSL && isSSLRequired(event) ){
flash.keep();
var toURL = event.buildLink( linkTo=reReplace( cgi.path_info, “^/”, “” ), queryString=cgi.query_string );
setNextEvent(url=toURL, statusCode=302, ssl=true);
}
// Check if in SSL and NO SSL Required
else if( isSSL && !isSSLRequired(event) ){
flash.keep();
var toURL = event.buildLink( linkTo=reReplace( cgi.path_info, “^/”, “” ), queryString=cgi.query_string );
setNextEvent(url=toURL, statusCode=302, ssl=false);
}

3

Thanks for documenting this – I was having the same issues and couldn’t figure out why it was malfunctioning.

4

If this is actually broken, can you enter a bug please?

Thanks!

~Brad

ColdBox Platform Evangelist
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com