Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'secure' option for Routes #10

Closed
lonnieezell opened this issue Jan 5, 2016 · 9 comments
Closed

Add 'secure' option for Routes #10

lonnieezell opened this issue Jan 5, 2016 · 9 comments
Labels
enhancement PRs that improve existing functionalities

Comments

@lonnieezell
Copy link
Member

There should be a way to enforce that a route can only be reached through HTTPS. This would be passed as an option to that route (or route group). If it's accessed via HTTP then it should be redirected to HTTPS.
@lonnieezell lonnieezell added the enhancement PRs that improve existing functionalities label Jan 5, 2016
@sv3tli0
Copy link
Contributor

sv3tli0 commented Jan 6, 2016

++

Projects as "letsencrypt.org" soon will give a free valid HTTPS option for all websites.
1 Route, Route Group or even the how app should has option to support only HTTPS requests. (perhaps the app should make and a proper redirection to HTTPS in all cases when the server doesn't do that at 1st place).
Its a good way to motivate people to push their apps to HTTPS and with that this will help improving security all over the net..

You know that some big companies are forcing anyone who is using their systems to have HTTPS already and this is 1 big +. In CI case of course it should be optional.

@narfbg
Copy link
Collaborator

narfbg commented Jan 6, 2016

A possibly helpful note: If you choose to do this via an HTTP redirect, make sure to use the 308 status code, which preserves the request method, i.e. won't change a POST to GET and destroy a submitted form's data.

https://tools.ietf.org/html/rfc7238

@lonnieezell
Copy link
Member Author

@narfbg Excellent reminder. I probably would have forgotten that. Thank you.

@lonnieezell
Copy link
Member Author

Notes to self:

  • The SessionID must be regenerated when we switch from HTTP to HTTPS.
  • Should attempt to use HTTP Strict Transport Security to enforce the switch. (Need to verify browser support)

@lonnieezell
Copy link
Member Author

@narfbg As far as I can tell 308 is still not approved. Seems Firefox at least supports it, but unsure of the rest of the browsers. Looks like Google had a 308 used for resumable requests in their now-defunct Gears project. I cannot find a list of browser support for the different status codes.

Are you aware of a resource that tells us how much support 308 can expect? I'm currently using the default redirect option of 302/307 depending on request type but would like to move to 308 if we know it's supported.

@narfbg
Copy link
Collaborator

narfbg commented Mar 11, 2016

Hmm ... looks like I've overlooked the status of that RFC.

Experimental basically means that research and development efforts are in progress, but you can't reasonably expect support for it in production. For this one in particular, browsers should fallback to another 3xx code if they encounter a 308 and don't understand it, but some may refuse to process it at all.

@lonnieezell
Copy link
Member Author

Alright, I'll leave this to the default 302/307 option, then, and we can keep an eye on things in the future. Thanks.

@narfbg
Copy link
Collaborator

narfbg commented Mar 11, 2016

On another note, this end result may be for the best in this particular case.

If there's e.g. a CSRF token in the message body for an unencrypted POST request, it's probably not a good idea to just redirect the same message body contents to a secure connection - we just had it over a non-httpS one, so it may've been intercepted. Better let the page generate a new token to be used under httpS. :)

@lonnieezell
Copy link
Member Author

Oh dang. Yeah, good call! :)

@exbit exbit mentioned this issue Mar 16, 2016
Closed
@John-Betong John-Betong mentioned this issue Sep 20, 2019
Closed
@crustamet crustamet mentioned this issue Jul 23, 2020
Closed
Sosko added a commit to Sosko/CodeIgniter4 that referenced this issue Sep 24, 2020
@Sosko
Error if the table haven't primary key
aaff417 
If thy table haven't primary key, and i pass $returnID = false, than the ci4 throw this error:
```
CRITICAL - 2020-09-24 00:47:00 --> pg_query(): Query failed: ERROR:  lastval is not yet defined in this session
#0 [internal function]: CodeIgniter\Debug\Exceptions->errorHandler(2, 'pg_query(): Que...', '/var/www/ci4/sy...', 196, Array)
codeigniter4#1 /var/www/ci4/system/Database/Postgre/Connection.php(196): pg_query(Resource id codeigniter4#9, 'SELECT LASTVAL(...')
codeigniter4#2 /var/www/ci4/system/Database/BaseConnection.php(741): CodeIgniter\Database\Postgre\Connection->execute('SELECT LASTVAL(...')
codeigniter4#3 /var/www/ci4/system/Database/BaseConnection.php(669): CodeIgniter\Database\BaseConnection->simpleQuery('SELECT LASTVAL(...')
codeigniter4#4 /var/www/ci4/system/Database/Postgre/Connection.php(519): CodeIgniter\Database\BaseConnection->query('SELECT LASTVAL(...')
codeigniter4#5 /var/www/ci4/system/Model.php(887): CodeIgniter\Database\Postgre\Connection->insertID()
codeigniter4#6 /var/www/ci4/app/Models/MyModel.php(46): CodeIgniter\Model->insert(Array, false)
codeigniter4#7 /var/www/ci4/app/Controllers/MyController.php(113): App\Models\MyModel->new_connection('1', '1')
codeigniter4#8 /var/www/ci4/app/Controllers/MyController.php(54): App\Controllers\MyController->do_create_connection()
codeigniter4#9 /var/www/ci4/system/CodeIgniter.php(918): App\Controllers\MyController->create_connection()
codeigniter4#10 /var/www/ci4/system/CodeIgniter.php(404): CodeIgniter\CodeIgniter->runController(Object(App\Controllers\MyController))
codeigniter4#11 /var/www/ci4/system/CodeIgniter.php(312): CodeIgniter\CodeIgniter->handleRequest(NULL, Object(Config\Cache), false)
codeigniter4#12 /var/www/ci4/public/index.php(45): CodeIgniter\CodeIgniter->run()
codeigniter4#13 {main}
CRITICAL - 2020-09-24 00:47:00 --> Uncaught CodeIgniter\Format\Exceptions\FormatException: Failed to parse json string, error: "Type is not supported". in /var/www/ci4/system/Format/Exceptions/FormatException.php:9
Stack trace:
#0 /var/www/ci4/system/Format/JSONFormatter.php(71): CodeIgniter\Format\Exceptions\FormatException::forInvalidJSON('Type is not sup...')
codeigniter4#1 /var/www/ci4/system/API/ResponseTrait.php(414): CodeIgniter\Format\JSONFormatter->format(Array)
codeigniter4#2 /var/www/ci4/system/API/ResponseTrait.php(134): CodeIgniter\Debug\Exceptions->format(Array)
codeigniter4#3 /var/www/ci4/system/Debug/Exceptions.php(168): CodeIgniter\Debug\Exceptions->respond(Array, 500)
codeigniter4#4 [internal function]: CodeIgniter\Debug\Exceptions->exceptionHandler(Object(ErrorException))
codeigniter4#5 {main}
  thrown
#0 [internal function]: CodeIgniter\Debug\Exceptions->shutdownHandler()
codeigniter4#1 {main}
```
This will skip to getting inserted ID
@okatse okatse mentioned this issue Oct 28, 2020
Closed
@DCreati DCreati mentioned this issue Nov 24, 2022
Closed
@byazrail byazrail mentioned this issue May 13, 2024
Closed
@DaveInga DaveInga mentioned this issue Jun 10, 2024
Closed
@juanma386 juanma386 mentioned this issue Nov 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement PRs that improve existing functionalities
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lonnieezell @sv3tli0 @narfbg