[coldbox-3.8.1] SES, SSL and all the various baseURLs

I’m working on a CB web app that utilizes SES and SSL, where only certain events will be secured with SSL, while most of the site will not be SSL.

I downloaded the SSL interceptor using CommandBox: install ssl-support-interceptor and made the adjustments listed in this post to redirect using the full URL rather than the URI because I was having problems with redirect loops. So that is my setup.

My question is this – what is the best practice way to get htmlBaseURL to reflect on a per request basis the current protocol being used?

In my Main.cfm layout I have:

`

`

But when the request is HTTPS that setting still has HTTP, which of course causes the browser to lose its mind trying to include .css and .js files over an unsecured connection – heavens no!

So…I’ve played around a lot in the PreProcess of the ssl.cfc (SSL Interceptor) and looked at the ColdBox core SES.cfc interceptor and have had some minor successes here and there but at the end of the day I am just not certain what I should type into which file so I don’t make headaches for me down the road. Those settings for htmlBaseURL and sesBaseURL are defined once for the life of the application when the SES Interceptor gets registered, right?

Snippet from SES.cfc Configure function

// Save the base URL in the application settings setSetting('sesBaseURL', instance.baseURL ); setSetting('htmlBaseURL', replacenocase( instance.baseURL, "index.cfm", "") );

Also, my current interceptor order in Coldbox.cfc is Autowire, SES, SSL, Security…sound right?

Thanks!
Wes

I always use this interceptor (or a version thereof) which re-sets the base URL on every request. Will this fix your issue?

http://www.coldbox.org/forgebox/view/Multi-Domain-SES

Thanks!

~Brad

ColdBox Platform Evangelist
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

Yeah, this is one of the things that has annoyed me with ColdBox and ContentBox especially. The fix is to do waht Brad has suggested, or an interceptor that checks if it is an SSL connection or not and adjust it the same way.

No idea why this was NEVER added to the likes of ColdBox is beyond me.

Thank you, Brad and Andrew!

@Brad, where does the htmlBaseURL get set with that MultiDomainSES.cfc interceptor? I see the line:

arguments.event.setSESBaseURL("http://" & cgi.http_host & "/index.cfm");

but event.setSESBaseURL() won’t trigger a change to htmlBaseURL, right? I’m using htmlBaseURL in my template as the base tag as described in the documentation, but I am still fuzzy on the best way to ensure that htmlBaseURL holds the correct value when I’ve got SES and SSL in play.

One of the “solutions” I had toyed with was an interceptor like this:

`
component name=“baseURL” output=“false” extends=“coldbox.system.interceptor” hint=“Fixes up the various Base URLs after the SES and SSL interceptors run” {

void function preProcess(event, interceptData){
// adjust the SESBaseURL based on whether SSL or not
if (event.isSSL()) event.setSESBaseURL(ReplaceNoCase(event.getSESBaseURL(), ‘http:’, ‘https:’));
else event.setSESBaseURL(ReplaceNoCase(event.getSESBaseURL(), ‘https:’, ‘http:’));

setSetting(‘htmlBaseURL’, replacenocase( event.getSESBaseURL(), “index.cfm”, “”) );
}
}
`

Will that tear a hole in the universe? I’ve got that interceptor currently defined after SES, SSL and Security…and it seems to be working properly…

Thanks for any additional insight!

Wes

You don’t want to change the setting, since that’s application-scoped and will create race conditions when more than one person hits your site at the same time. You can see how Luis solved it in ContentBox.

This is from the layout used in the admin:
https://github.com/bdw429s/ContentBox/blob/master/modules/contentbox-admin/layouts/admin.cfm#L12

He basically just created a helper function in the contentbox helper plugin:
https://github.com/bdw429s/ContentBox/blob/master/modules/contentbox/plugins/CBHelper.cfc#L157

All it does is run this code and return the result:

return replacenocase( getRequestContext().buildLink(’’), “index.cfm”, “” );

Of course, buildLink() just appends your link (nothing in this case) to the SESBaseURL, but adds the necessary switches for HTTP/HTTPS, etc.

I’m sure you could create a little helper function somewhere to do the same thing. It also might not hurt to put in a ticket for ColdBox to support this a bit better out of the box.

Thanks!

~Brad

ColdBox Platform Evangelist
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

Thanks, Brad – I’ll read through that code and adjust my approach. I really appreciate the guidance!

Wes