Superlative Solutions' HelpDesk Language
 
HomeKnowledge BaseColdFusion and ProgrammingSmart-Switching into and out of SSL mode
Information
Article ID41
Created On2/5/2009
Modified2/23/2009
Actions
Smart-Switching into and out of SSL mode
Overview
If you are running a Web site that has a secure server certificate (SSL), this article will explain a very clean way to automatically switch between non-encrypted (HTTP) and encrypted (HTTPS or SSL) protocols, using a ColdFusion security framework.

It is very common for a Web site to improperly transfer users into an HTTPS, or secure encrypted, mode (or protocol), however, due to poor programming, have items on the page which are not encrypted. This causes a user's browser to popup a warning that not all items are encrypted, and asking the user if they want to display those items. The reason this happens is because images or other displayed assets have the fully-qualified URL, using an http:// protocol prefix.

The other issue that we often see is a situation where once a site switches into HTTPS mode, it never switches back out. While this does not pose a security threat, it does significantly impact performance, due to the overhead of encrypting all communications between the client's browser and the Web server.

There are, as a result, several key points this article will address, as follows:
  • Only use SSL, or HTTPS, when it is needed, in order to secure the data that is being sent between the browser and the server.
  • Switch out of SSL when it is not needed.
  • Automate this so that the Web designers don't have to worry about what mode they are in.
  • Do all of the above, easily, by using a security framework!

Basics of the Security Framework
A framework simply involves the development of a base level set of business processes that are invoked for EVERY page of a ColdFusion Web site. The framework incorporates a set of business rules that specify what pages or directories should be secured by SSL, and carries out the operations necessary to switch between the two protocols.

The components of the framework include:

  1. Application.cfm: If you've used ColdFusion for a while, you know that this script is automatically invoked by the ColdFusion engine before the target script is executed. If you are running ColdFusion MX 7.1 or above, you can use application.cfc instead, which is recommended. Inside of the application.cfm, you will include the security framework (code below) which will perform the switching.
     
  2. Security Configuration Values: These values specify what directories (per our example code) or pages that need to be secured. Additionally, the configuration specifies the fully-qualified domain name that should be used when switching into HTTPS mode.

The Code
The following code shows an example of a security framework, in a very trimmed-down form. Following the code, we'll detail what each piece of it does:

<cfscript>
    
    // Configuration variables
    secSslDomain = "www.yourdomain.com";                    // This must match the CN (common name) of your SSL
    secDirectoryList = "/checkout/,/contactus/";            // Directories to secure
    secIsSslMode = iif(cgi.https EQ "on",true,false);       // Sets true if currently in SSL mode
    secSslRequired = false;                                 // We'll set this later in the code
    secRedirectTo = "";                                     // Leave this field blank

    // Concatenate the script and any query string parms
    secUrl = cgi.script_name & iif(trim(cgi.query_string) NEQ "",de("?" & cgi.query_string),de(""));

    // Determine if we should be in SSL mode for the current directory
    secCurDir = getDirectoryFromPath(cgi.script_name);                // What directory are we going to
    if( listFindNoCase(secDirectoryList,secCurDir) ) {
        secSslRequired = true;
    }

    // Set the redirect URL, if we are not in the correct mode
    if( secSslRequired AND NOT secIsSslMode ) {
        secRedirectTo = "https://" & secSslDomain & secUrl;
    } else {
        if( not(secSslRequired) AND secIsSslMode ) {
            secRedirectTo = "http://" & secSslDomain & secUrl;
        }
    }
</cfscript>

<!--- If this is a CGI GET and we are not in the proper mode, perform redirect --->
<cfif trim(secRedirectTo) NEQ "" AND cgi.request_method EQ "GET">
    <cflocation url="#secRedirectTo#" addtoken="no">
</cfif>

 The above code, if placed into your application.cfm (or application.cfc) will take care of switching automatically between SSL and non-SSL protocol for you.

The key variables in the above are the secSslDomain which, again, must match the common-name (CN) of your SSL certificate and the secDirectoryList variable, which should contain a comma-delimited list of directories which should be secured. Make sure, in the list of directories, that each entry begins and end the the slash (/) character. Also, make sure that you do not include any spaces in front of, or behind, the comma.
 
SmarterTrack Professional 3.6 | Help Desk Software | © 2010 SmarterTools Inc.