silverstripe-framework: Director::forceSSL does not force SSL when using
Might just be something to note in the .env documentation but this is something I caught in production today:
Defined a base URL in .env
SS_BASE_URL="https://www.site.co.nz/"
In app/_config.php: Director::forceSSL();.
Result:
Accessing http://www.site.co.nz incorrectly works, no redirection takes place as the check in Director::is_https() fails with the provided SS_BASE_URL.
Fix is to use the non-ssl version in the .env file but I think that’s a simple issue for users to trip up on and could result in users being able to access pages over HTTP.
PR:
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 28 (25 by maintainers)
Commits related to this issue
- BUG Fix forceWWW and forceSSL not working in _config.php Fixes #7492 — committed to open-sausages/silverstripe-framework by deleted user 7 years ago
My view is we stop recommending using forceSSL - instead use a middleware to force SSL or serverside config.
However, the problem is
Director::is_https()check needs changing/ignoring in theforceSSLmethod as it’s looking up whether the base URL is https rather than the current request.