<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
yes, I quite agree, https all the time is better but for the
specific purposes of the correctness of the validateReferer function
if you do have http turned on for whatever reason then it shouldn't
throw up an error message (especially a completely uninformative and
misleading one).<br>
<br>
Alan.<br>
<br>
<div class="moz-cite-prefix">On 29/04/15 12:23, Christophe Humbert
wrote:<br>
</div>
<blockquote
cite="mid:CABffS=wT37Uw64xYLAz4xD5Eu-ACt9oD1qdR2RCUohcTGFcGwQ@mail.gmail.com"
type="cite">
<div dir="ltr">Always use https no brainer and force either in
your .htacces or httpd.conf the SSL use <br>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">Christophe Humbert<br>
<br>
<br>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Apr 29, 2015 at 1:12 PM,
Prasad <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:prasad@vtiger.com" target="_blank">prasad@vtiger.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Use https if you have the option (have http
redirect to https) - a suggestion.</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">--</div>
<div dir="ltr"><span
style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><a
moz-do-not-send="true"
href="http://www.facebook.com/vtiger"
style="color:rgb(0,0,204)"
target="_blank">FB</a> I </span><a
moz-do-not-send="true"
href="http://twitter.com/vtigercrm"
style="color:rgb(0,0,204)"
target="_blank">Twit</a> I <a
moz-do-not-send="true"
href="https://www.linkedin.com/company/1270573?trk=tyah"
style="color:rgb(0,0,204)"
target="_blank">LIn</a> I <a
moz-do-not-send="true"
href="https://blogs.vtiger.com"
style="color:rgb(0,0,204)"
target="_blank">Blog</a> I <a
moz-do-not-send="true"
href="https://www.vtiger.com/"
style="color:rgb(0,0,204)"
target="_blank">Website</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="h5">
<br>
<div class="gmail_quote">On Wed, Apr 29, 2015 at
3:32 PM, Alan Bell <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:alan.bell@libertus.co.uk"
target="_blank">alan.bell@libertus.co.uk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">we wanted to make https
optional for a vtiger instance, it doesn't do
that out of the box because the http referrer is
checked against the $siteURL global, so the
protocol has to match and you get an Illegal
request error on logging in. I did a little
tweak to includes/http/Request.php to the
validateReferrer function:<br>
<br>
protected function validateReferer() {<br>
$user= vglobal('current_user');<br>
// Referer check if present -
to over come<br>
if
(isset($_SERVER['HTTP_REFERER']) &&
$user) {//Check for user post authentication.<br>
global $site_URL;<br>
$sitehost=parse_url($site_URL);<br>
$referrerhost=parse_url($_SERVER['HTTP_REFERER']);<br>
if
(($sitehost['host']!=$referrerhost['host'])
&& ($this->get('module') !=
'Install')) {<br>
throw new
Exception('Illegal request');<br>
}<br>
}<br>
return true;<br>
}<br>
<br>
<br>
so now it parses the site url and the referrer
url and checks that the host portion of each is
a match, I don't really care if you bounce
between protocols or ports as long as it is on
the same host.<br>
<br>
Alan.<br>
_______________________________________________<br>
<a moz-do-not-send="true"
href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
<a moz-do-not-send="true" href="http://www.vtiger.com/"
target="_blank">http://www.vtiger.com/</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a></pre>
</blockquote>
<br>
</body>
</html>