How to use SSL/https with non-menu items?

Question

We have a site that needs to have several sections be secure. We have our SSL certificate installed, and for the areas that are accessible via menu item, it's no problem - we just use the SSL Enabled system parameter in the menu item editor. But we have a few sections (i.e. a shopping cart checkout screen) that are only accessible via a submit button (they don't have their own URL, so to speak - they're just submitted to themselves via the controller and the view changes based on the form action.) Right now, the form action is set like this:

<form name="instantForm" action="/<?=$this->segment?>/" method="post" onsubmit="updateSubmitValue()">

where segment is passed via the view.html.php. The rendered form tag looks like this:

<form id = "checkoutForm" name="checkoutForm" action="/checkout/" method="post" onsubmit="updateSubmit()">

When submitted, the controller grabs the value of a few submitted fields and determines which view to display (logged in with saved account info or anonymous transaction) and then displays the correct form.

Here's a stripped-down version of the controller's display method:

if (JRequest::getVar('checkoutCodeSubmitBTN') != ""){
   //user has clicked Checkout button; go to billing info page
   JRequest::setVar('view','checkoutpay');
   // JRequest::setVar('view','checkout_thankyou');

   //reference view
   $viewCode =& $this->getView('checkoutpay','html');
   $viewCode->voucher =& $voucher;
} //close test for step 1 if

How can I make sure that the view that gets displayed gets switched over to an https URL?

I've already posted this on the google joomla dev discussion group, and got a response telling me to use JRoute to generate a URL and use setRedirect instead of posting to the form, but then someone else responded that using JRoute produces a completely new request, so all your access to JRequest::getVar type stuff is gone. We need to be able to access the variables that are posted through the form, so that solution is out. Does anyone have any other ways of doing this? I'm pretty new to Joomla development and am not familiar with many of the objects and methods available.

Answer 1

I've heard from some people that JRoute would be better for this, but that only works if you know the URL you need; we have to build our URL dynamically based on the current request, so I used JURI.

In my view.html.php, I added this code:

$needSecure = $model->needSecure();
    if($needSecure) {
        $u =& JURI::getInstance( JURI::base() );
        $u->setScheme( 'https' );
        $tmpURL =  $u->toString()."checkout";
    }
    else {
        $tmpURL = "/checkout";
    }
$this->assignRef("tmpURL", $tmpURL);

needSecure() is a function in my model that pulls a value from a database table and returns a boolean. So if needSecure returns true, we get the current request URI, set the first part to https, then append the bit that we're submitting to. If it returns false, we just set the bit to submit to.

In the default.php, we have this:

<form id = "checkoutForm" name="checkoutForm" action="<?=$this->tmpURL?>/" method="post" onsubmit="updateSubmit()">

If needSecure is true, the action renders to

<form id = "checkoutForm" name="checkoutForm" action="https://www.mysite.com/checkout" method="post" onsubmit="updateSubmit()">

otherwise it renders to

<form id = "checkoutForm" name="checkoutForm" action="/checkout" method="post" onsubmit="updateSubmit()">

It works perfectly, and because we're storing the boolean in a database, it means we don't ever have to change the code itself if we want to make a new form submission secure or insecure.