We love this module, especially for how simple it is to configure. Is there a way to make the redirect from CAS always return to the SSL version of the page? We have the redirect going to but that doesn't infer ssl.
Thanks

Comments

metzlerd’s picture

I typically force SSL just by altering the base url in my settings.php file, but secure pages and other modules can also help here, or were you looking for something mores specific. Much depends on how you have your site site set up as to whether you get redirected to a secure page or not.

metzlerd’s picture

FYI: Also there's no strong reason to have the redirection be SSL except for when going to the cas server (which is always enforced). So the question about ssl is really about the confidentiality of the content that's on your site.

Dave

sher1’s picture

So to give details but not overdo, we have a page that shows additional info if you are logged in and that additional info has to be protected by SSL. Since we don't want to get mixed content pages or allow for injecting bad js in with the non-ssl content, we have to secure the whole thing. I actually have my base_url set to the ssl version of the site but that doesn't seem to make any difference. I will take a look and see if there are any things I should be doing differently with the base_url. Thanks for the quick reply. I will report back what I find in case anyone else ever needs this.

bfroehle’s picture

I think this could be accomplished in 6.x-3.x by implementing hook_cas_phpcas_alter().

The code would need to be something like:

/**
 * Implements hook_cas_phpcas_alter().
 */
function MODULE_cas_phpcas_alter() {
  // Get absolute URL to the 'cas' path, and replace http with https.
  $url = url('cas', array('absolute' => TRUE));
  $url = str_replace('http://', 'https://', $url);
  phpCAS::setFixedServiceURL($url);
}
bfroehle’s picture

I recently was faced with a similar task and ended up opting for the simplest solution which was to just put everything under the SSL umbrella.

Has anybody else figured out a good solution?

sher1’s picture

So, what I ended up doing was this. On the top of the page-front.tpl.php I have

if(($user->uid > 0) && $_SERVER['HTTP_X_HTTPS']=="off") redirectToHTTPS();

To clarify, the first condition checks to see if you are logged in. The second checks to see if we are already using SSL by looking for the header variable HTTP_X_HTTPS which is set by our reverse proxies. The result of a true (we are both logged in and not already ssl) is a call to my redirectToHTTPS function that looks like this:

function redirectToHTTPS() {
    if ($_SERVER['HTTP_X_HTTPS'] == "off") {
      $redirect = "https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
      echo "redirected to:" . $redirect;
        header("Location:$redirect");
    }
}

Hope that is useful to someone else.

bfroehle’s picture

Component: Code » CAS
Status: Active » Fixed

I added a link to this issue in the CAS documentation. Note, however, that this approach may still be susceptible to hijacked sessions --- see http://drupal.org/project/securepages_prevent_hijack for more info.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.