Best pratice for SSL in CakePHP

1
votes

I'd like to implement HTTPS for all pages.

I use CakePHP 2.3 with the "Auth" component.

Actually the only one way I found is to add a "beforeFilter-condition".

But this is very dirty because I have a lot of "not-SSL" requests because of Auth-Component.


AppController.php --->

class AppController extends Controller {

  public function beforeFilter() {
    if (env("SERVER_PORT") != "443") {
      $this->Security->blackHoleCallback = 'forceSSL';
      $this->Security->requireSecure();
    }
  }

  public function forceSSL() {
    $this->redirect('https://' . env('SERVER_NAME') . $this->here);
  }

}




The problem appears when I am not logged in and I try to access my website

  • Request --> Response (because of)
  • GET hxxp://MYSITE/ --> 302 hxxps://MYSITE/ (beforeFilter-redirection)
  • GET hxxps://MYSITE/ --> 302 hxxp://MYSITE/users/login (Auth component)
  • GET hxxp://MYSITE/users/login --> 302 hxxps://MYSITE/users/login (beforeFilter-redirection)
  • GET hxxps://MYSITE/users/login --> 200
  • POST hxxps://MYSITE/users/login (with creds) --> 302 hxxp://MYSITE/ (Auth component)
  • GET hxxp://MYSITE/ --> 302 hxxps://MYSITE/
  • GET hxxps://MYSITE/ --> 200

SO, do you know another way to do that.


NB: I had to force secure my cookie in core.php because they weren't.

core.php --->

Configure::write('Session', array(
  'defaults' => 'php',
  'ini' => array(
    'session.cookie_secure' => true
  )));




Note that I also tried to force SSL by modifying .htaccess but all I get is infinite loop.

EDIT :

The default .htaccess in CakePHP is

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteRule    ^$ app/webroot/    [L]
   RewriteRule    (.*) app/webroot/$1 [L]
</IfModule>

What I tried to add :

RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
1
php.htaccesscakephpsslhttps
I would say that if you want all your site's pages then this would be a job for Apache or IIS and how your hosts are mapped. I know you've said you've tried to modify .htaccess but I truly believe this is the right thing to do.Sam Delaney
@sam-delaney Hum, right but do you know the way to do that on Cake2.3 ?Starflash
It doesn't matter which version of CakePHP you're using since what I'm suggesting applies to the software which sits under PHP which is usually Apache (but could be IIS or others). Apache is what reads your .htaccess files. A quick Google resulted in this article which may assist you. Is this on you're local machine? Are you running a WAMP stack or something similar?Sam Delaney
Yes I know what a htaccess is :) But what I said is when I tried (edit on my post) I had an infinite loop because of incompatibility between lines.Starflash
When I looked up your .htaccess configuration I found a slightly different layout (askapache.com/htaccess/…). Where are you being redirected to?Sam Delaney

1 Answers

2
votes

Finally, the solution I chose was:

  • Deleting /app/webroot/.htaccess and /app/.htaccess

  • Modifying /.htaccess to

.htaccess --->

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  • Disabling URL-Rewriting in Cake

core.php --->

Configure::write('App.baseUrl', env('SCRIPT_NAME'));



Now access is via hxxps://www.mysite.com/index.php/controller/action