[Tickets #3840] NEW: Horde::url and 'use_ssl' difference.

bugs@bugs.horde.org bugs at bugs.horde.org
Wed Apr 26 09:14:36 PDT 2006 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=3840
-----------------------------------------------------------------------
 Ticket             | 3840
 Created By         | fzipi at fing.edu.uy
 Summary            | Horde::url and 'use_ssl' difference.
 Queue              | Horde Framework Packages
 Version            | FRAMEWORK_3
 State              | Unconfirmed
 Priority           | 1. Low
 Type               | Bug
 Owners             | 
-----------------------------------------------------------------------


fzipi at fing.edu.uy (2006-04-26 09:14) wrote:

I'll try to be clear on this one.

What we are trying to achieve is that login on horde (with imp_login) should
be always with 'https' (because of passwords), and then with session
initiated let clients decide if they use ssl on every request or not.

So, we set on 'horde/conf.php' value '$conf['use_ssl'] = 2;' and on
'horde/imp/login.php'   around line 138 we have:

$formAction = Horde::url('redirect.php', false, -1, true); // true =
force_ssl !!!

Documentation on 'conf.php.dist' says:

// Determines how we generate full URLs (for location headers and
// such). Possible values are:
//   0 - Assume that we are not using SSL and never generate https URLS.
//   1 - Assume that we are using SSL and always generate https URLS.
//       NOTE: If you do this, you MUST hardcode the correct HTTPS port
//       number in $conf['server']['port'] below. Otherwise Horde will
//       be unable to generate correct HTTPS URLs when a user tries to
//       access Horde via a non-HTTPS port.
//   2 - Attempt to auto-detect, and generate URLs appropriately.
$conf['use_ssl'] = 2; // in my case use auto-detection

So it's supossed to generate https urls for login, and then continue with
'$browser->usingSSLConnection()' mainly.

But, when I looked at 'Horde::url', in 'lib/Horde.php', I saw this:

    function url($uri, $full = false, $append_session = 0, $force_ssl =
false)
    {
        if ($force_ssl) {
            $full = true;
        }

        if ($full) {
            global $conf, $registry, $browser;

            /* Store connection parameters in local variables. */
            $server_name = $conf['server']['name'];
            $server_port = $conf['server']['port'];

            $protocol = 'http';
            if ($conf['use_ssl'] == 1) {
                $protocol = 'https';
            } elseif ($conf['use_ssl'] == 2 &&
                      $browser->usingSSLConnection()) {
                $protocol = 'https';
            } elseif ($conf['use_ssl'] == 3) {
                $server_port = '';
                if ($force_ssl) {
                    $protocol = 'https';
                }
            }

Well, '$conf['use_ssl'] == 3' is an undocumented feature, or there is a bug
somewhere :)
Also, if I set '$conf['use_ssl'] == 3' on my horde config, works great
generating 'https' urls, but then if I'm using https already after login
urls are changed to 'http'.

I think that
              if ($force_ssl) {
                    $protocol = 'https';
                }
on this method should have priority over other things.
Also, documentation must be updated...

Thanks,

Felipe.

More information about the bugs mailing list