[Vtigercrm-developers] support https and http at the same time

Alan Bell alan.bell at libertus.co.uk
Wed Apr 29 11:35:37 GMT 2015 

yes, I quite agree, https all the time is better but for the specific 
purposes of the correctness of the validateReferer function if you do 
have http turned on for whatever reason then it shouldn't throw up an 
error message (especially a completely uninformative and misleading one).

Alan.

On 29/04/15 12:23, Christophe Humbert wrote:
> Always use https no brainer and force either in your .htacces or 
> httpd.conf the SSL use
>
> Christophe Humbert
>
>
>
> On Wed, Apr 29, 2015 at 1:12 PM, Prasad <prasad at vtiger.com 
> <mailto:prasad at vtiger.com>> wrote:
>
>     Use https if you have the option (have http redirect to https) - a
>     suggestion.
>
>     --
>     FB <http://www.facebook.com/vtiger> I Twit
>     <http://twitter.com/vtigercrm> I LIn
>     <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
>     <https://blogs.vtiger.com> I Website <https://www.vtiger.com/>
>
>     On Wed, Apr 29, 2015 at 3:32 PM, Alan Bell
>     <alan.bell at libertus.co.uk <mailto:alan.bell at libertus.co.uk>> wrote:
>
>         we wanted to make https optional for a vtiger instance, it
>         doesn't do that out of the box because the http referrer is
>         checked against the $siteURL global, so the protocol has to
>         match and you get an Illegal request error on logging in. I
>         did a little tweak to includes/http/Request.php to the
>         validateReferrer function:
>
>             protected function validateReferer() {
>                 $user=  vglobal('current_user');
>                            // Referer check if present - to over come
>                         if (isset($_SERVER['HTTP_REFERER']) && $user)
>         {//Check for user post authentication.
>                                 global $site_URL;
>         $sitehost=parse_url($site_URL);
>         $referrerhost=parse_url($_SERVER['HTTP_REFERER']);
>                                 if
>         (($sitehost['host']!=$referrerhost['host']) &&
>         ($this->get('module') != 'Install')) {
>                                            throw new
>         Exception('Illegal request');
>                                 }
>                         }
>                         return true;
>                 }
>
>
>         so now it parses the site url and the referrer url and checks
>         that the host portion of each is a match, I don't really care
>         if you bounce between protocols or ports as long as it is on
>         the same host.
>
>         Alan.
>         _______________________________________________
>         http://www.vtiger.com/
>
>
>
>     _______________________________________________
>     http://www.vtiger.com/
>
>
>
>
> _______________________________________________
> http://www.vtiger.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150429/41371fab/attachment-0001.html>

More information about the vtigercrm-developers mailing list