#4512 (ok 4.4.7) ForceSSL Redirect Check

4.4.0
fixed
None
Normal
2015-05-16
2014-08-11
Rob Ryan
No

Forgive me if this is just a lack of understanding, I usually make this change when I install new versions and I can't see much online to give me the reasoning for why it works that way it does.

The "check HTTPS connection" in libraries/common.inc.php uses is_https to check whether a redirect should be made if ForceSSL is turned on. From is_https: "This function checks if the https protocol is used in the PmaAbsoluteUri" which as I understand it is the configuration value which is will always contain https:// if set that way.

Should it not instead use detectHttps to check if the active connection is secure to know whether a redirect is required?

Thanks.

Discussion

  • Marc Delisle
    Marc Delisle
    2015-02-15

    • Priority: 5 --> Normal
     
  • Cen
    Cen
    2015-03-18

    I digged around this issue and my interpretation is the following:

    Case 1: PmaAbsoluteUri setting is null by default, ForceSSL is true
    Works like: If the requested URL is not https, then redirect to https (PmaAbsoluteUri is autopopulated)

    Case 2: PmaAbsoluteUri setting is set to http, ForceSSL is true
    Works like: Always redirect

    Case 3: PmaAbsoluteUri setting is set to https, ForceSSL is true
    Works like: Never redirect

    Case 3 might be problematic because for example, you can access the login page through http and not get redirected even though ForceSSL is true. Waiting for opinion.

     
    • assigned_to: Madhura Jayaratne
     
    • summary: ForceSSL Redirect Check --> (ok 4.4.7) ForceSSL Redirect Check
    • status: open --> resolved
    • Group: Latest_Git --> 4.4.0
     
  • Marc Delisle
    Marc Delisle
    2015-05-16

    • Status: resolved --> fixed