tags:

views:

603

answers:

3
Q: 

cakephp secure link using html helper link method..

What's the best way in cakephp to extend the html->link function so that I can tell it to output a secure(https) link? Right now, I've added my own secure_link function to app_helpers that's basically a copy of the link function but adding a https to the beginning. But it seems like there should be a better way of overriding the html->link method so that I can specify a secure option.

http://groups.google.com/group/cake-php/browse%5Fthread/thread/e801b31cd3db809a I also started a thread on the google groups and someone suggested doing something like 

$html->link('my account', array('base' => 'https://', 'controller' => 'users'));

but I couldn't get that working.

Just to add, this is what is outputted when I have the above code.

<a href="/users/index/base:https:/">my account</a>

I think there's a bug in the cake/libs/router.php on line 850. There's a keyword 'bare' and I think it should be 'base' Though changing it to base doesn't seem to fix it. From what I gather, it's telling it to exclude those keys that are passed in so that they don't get included as parameters. But I'm puzzled as to why it's a 'bare' keyword and the only reason I can come up with is that it's a type.

A: 

If you want to override the base you have to specify also server name not just the protocol.

If the link you want to create should be https://example.com/mysite/users/action then https://example.com/mysite/ is your base.

Try running this code:

$html->link('my account', 
    array('base' => 'https://example.com/mysite/', 'controller' => 'users'));
RaYell  2009-09-16 06:01:46
Maybe I'm doing it wrong but doesn't that defeat the purpose of link then? If you have a dev environment, then all the links will be wrong. Besides, it still doesn't work with the fully qualified url.
Aaron  2009-09-16 16:30:57
A: 

Simply linking to the secure version of a page doesn't fully prevent access to the non-secure version, therefore a better approach might be to implement automatic https switching for the actions needed.

<?php
class UsersController extends AppController {

    var $components = array('Security');

    function beforeFilter() {
        $this->Security->blackHoleCallback = '_forceSecure';
        $this->Security->requireSecure();
    }

    function _forceSecure() {
        $this->redirect('https://' . env('SERVER_NAME') . $this->here);
    }
}
?>

Using this technique you can choose which controllers/actions need secured without having to worry about prepending https:// to every single link.

deizel  2009-09-16 13:40:37
It's even better to have your server redirect insecure URLs.
RaYell  2009-09-16 13:59:18
I already have the security component configured like that. I just wanted to save the extra redirect for pages I know will always be secure. Also, trying to go back the other way. From https to http. Once you're redirected someone to a secure page, then the rest of the time they surf the site in secure pages when the overhead is not needed.
Aaron  2009-09-16 16:36:56
Yes, HTTPS traffic uses more bandwidth and is therefore slower, but you can expand on the implementation above so that it automatically switches users from HTTPS to HTTP when they leave a secured action/controller.When a "DRY" blanket solution can be created, the act of spending time manually adjusting links seems redundant.Since the redirect happens on the server and is barely noticed by the client, trying to avoid the redirect due to "overhead" issues sounds a bit like premature optimisation.
deizel  2009-09-17 10:10:58
A: 

in _forceSeruce() better use this line to redirect:

$this->redirect('https://'.env('SERVER_NAME').env('REQUEST_URI'));

otherwise you will loose any parameters specified in a GET request.

Ludolphus  2009-10-27 09:01:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases