I would like to propose a minor change to the setNextEvent method in
Controller.cfc. This issue seems to have existed as far back as
2.6.2.
setNextEvent has an argument called SSL which is used in the line 400
of system\web\Controller.cfc (CB3 M4) like so:
// Check SSL?
if( arguments.ssl ) {relocationURL =
replacenocase(relocationURL,"http:","https:"); }
The problem with that is that if SSL is set to false and
oRequestContext.getSESBaseURL() returns an https URL, it doesn't turn
the HTTPS back into an HTTP.
In my app, I have an interceptor which sets the SESBaseURL with the
CURRENT CGI info on every request. This ensures all assets (images,
JS, CSS, etc) for that page are also rendered with the correct host
name as well securely if need-be.
So, if I am on an HTTPS page and I ask ColdBox to set the next event
to a specific handler which does NOT need to be secure, ColdBox
ignores the SSL value of false and does not revert the URL into HTTP.
I would like to suggest the following "else" statement be added in the
setNextEvent method to account for both scenarios:
// Check SSL?
if( arguments.ssl ) {relocationURL =
replacenocase(relocationURL,"http:","https:"); }
else {relocationURL = replacenocase(relocationURL,"https:","http:"); }
Thanks!
~Brad