Notice: With the launch of Adobe Cookbooks, this site will no longer be accepting new entries or posting new content. Thanks to everyone who submitted content!

How do you force an application to use SSL?

If you want to force your application (or a portion of it) to use SSL, you can simply check one of the CGI variables, server_port_secure.

<cfif not cgi.server_port_secure>
   <cflocation url="https://#cgi.server_name##cgi.script_name#?#cgi.query_string#" />
</cfif>

The code block above makes use of four CGI variables. The first one, cgi.server_port_secure, will be true if the current request is on a secure server. (Technically it seems to return 0 or 1, which can be treated as false and true in ColdFusion.) The variable cgi.server_name represents the current server. The variable cgi.script_name will represent the current document. (However this will not be the case when ColdFusion is using a context root of anything but /.) Lastly, the variable cgi.query_string will represent anything after the ? character in the URL. If blank, nothing will be passed.

As a general warning, CGI variables can behave differently between different web servers, versions of web servers, web browsers, and many other factors. In general, care should be taken when using CGI variables.


This question was written by Terrence Ryan.
It was last updated on January 27, 2006 at 12:42:28 PM EST.

CFML Referenced

<cfif>

Categories

Security

Comments

Comment made by Barney on January 27, 2006 at 2:03 PM
cgi.server_port (80 for HTTP, 443 for HTTPS) and cgi.https (set to 'on') can also yield clues, if your web server doesn't provide cgi.server_port_secure.

Comment made by Terrence Ryan on February 1, 2006 at 12:59 PM
I should have pointed out that this code was written for ColdFusion MX 7 on IIS 6.

Comment made by Raymond Camden on February 1, 2006 at 1:46 PM
Terrance - all code here is CF7. It's one of the faqs. ;) Most code here WILL run on earlier systems though.

Comment made by Terrence Ryan on February 2, 2006 at 7:52 PM
I was just clarifying the IIS 6 part. I was being overly verbose in including the CF7 part.

Comment made by Pablo Varando on May 26, 2006 at 9:21 PM
For previous compatibility you can do:

<cfif CGI.HTTPS IS "Off"> <cflocation url="https://#cgi.server_name##cgi.script_name#?#cgi.query_string#" /> </cfif>

Comment made by Kruse on August 2, 2007 at 8:46 AM
But the address line does still say http:

Comment made by Raymond Camden on August 2, 2007 at 9:02 AM
It should not Kruse. I'd check your CGI variables. Are they not what you expect?

Comment made by Blair Rorani on February 20, 2008 at 5:34 AM
If I use the above technique, what happens to form variables passed to a page if I'm using cflocation to get the https into my url of the current page?

I'm not sure of the impact of cflocation on variable scopes but I know to to redirect the pages to https. Ta.