[horde] full url

Eric Rostetter eric.rostetter at physics.utexas.edu
Mon Mar 17 11:03:21 PST 2003


Quoting Chris Petersen <lists at forevermore.net>:

> I'm finally getting around to forcing SSL for my horde connections,

The only way to "force" it is via your web server configuration.

> went in to change the use_ssl config directive to 1 to force ssl.

That doesn't force ssl.  It simply means that full urls will be written
as https: urls.

> however, it has no effect unless the "full url" stuff is set in the
> url() function in libs/Horde.php - and there seems to be no config
> setting for this.

Correct.
 
> Anyway, for now I've changed the default value from false to true, and
> it works, but there really should be an option for those who aren't so
> php-savvy.

Maybe.  But the only way to actually inforce this is at the web server
level.  You can't enforce it in the code.

> and in case you don't know what I'm talking about, unless the $full
> variable is turned on, all of horde's url's are local url's and thus

Correct.

> none of the links will get switched to https as the use_ssl parameter
> suggests that they will when it's set to "1".

It suggests no such thing.  From an old stable release, so this is not
new, it says:

// Determines how we generate full URLs (for location headers and
// such). Possible values are:

Note that it says right there it only applies to full URLs.  
How we generate full urls.  Never says anything about relative urls.

> Not sure which version I'm using - but pretty sure it's the latest
> stable release.

As you see above, it does not promise anything it doesn't deliver.

In the newer (HEAD) versions, it is expanded to say:

// Determines how we generate full URLs (for location headers and
// such). Possible values are:
//   0 - Assume that we are not using SSL and never generate https URLS.
//   1 - Assume that we are using SSL and always generate https URLS.
//       NOTE: If you do this, you MUST hardcode the correct HTTPS port
//       number in $conf['server']['port'] below. Otherwise Horde will
//       be unable to generate correct HTTPS URLs when a user tries to
//       access Horde via a non-HTTPS port.
//   2 - Attempt to auto-detect, and generate URLs appropriately.


Still note, this is only for full urls.  Still note, this will not stop
the user from getting around this.  Still note, the only way to enforce
https: (ssl) connections is via the web server.

> -Chris

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the horde mailing list