Commit eb4090ff authored by Kevin Atkinson's avatar Kevin Atkinson

Redirect http://* to https://* in CheckLoginOrDie on

CHECKLOGIN_MAYBEVALID.  Also fixup index.php3 so it always
redirects to https on the same error.

Added new helper function RedirectHTTPS which will redirect to https
if necessary.
parent a15a02cb
......@@ -546,6 +546,24 @@ function YesNo($bool) {
return ($bool ? "Yes" : "No");
}
#
# If the page was accessed via http redirect to https and exit
# otherwise do nothing
#
function RedirectHTTPS() {
global $WWWHOST,$drewheader;
if ($drewheader) {
trigger_error(
"PAGEHEADER called before RedirectHTTPS ".
"Won't be able to redirect to HTTPS if necessary ".
"in ". $_SERVER['SCRIPT_FILENAME'] . ",",
E_USER_WARNING);
} else if (!@$_SERVER['HTTPS'] && $_SERVER['REQUEST_METHOD'] == 'GET') {
header("Location: https://$WWWHOST". $_SERVER['REQUEST_URI']);
exit;
}
}
#
# Beware empty spaces (cookies)!
#
......
......@@ -16,18 +16,9 @@ $this_user = null;
$isadmin = null;
if (!$printable && LoginStatus()) {
if (!@$HTTPS) {
# redirect to secure site, otherwise CheckLoginOrDie will fail
$new_url = "https://$WWWHOST$REQUEST_URI";
header("Location: $new_url");
PAGEHEADER("Bibliography");
echo "<p>Please use $new_url when logged in.</p>";
PAGEFOOTER();
return;
} else {
$this_user = CheckLoginOrDie();
$isadmin = ISADMIN();
}
RedirectHTTPS();
$this_user = CheckLoginOrDie();
$isadmin = ISADMIN();
}
#
......
......@@ -17,6 +17,10 @@ $stayhome = 1;
#
if (($this_user = CheckLogin($check_status))) {
$check_status = $check_status & CHECKLOGIN_STATUSMASK;
if ($check_status == CHECKLOGIN_MAYBEVALID) {
# Maybe the reason was because they where not using HTTPS ...
RedirectHTTPS();
}
if (($firstinitstate = TBGetFirstInitState())) {
unset($stayhome);
......@@ -34,14 +38,6 @@ if (($this_user = CheckLogin($check_status))) {
}
return;
}
elseif (isset($SSL_PROTOCOL)) {
# Fall through; display the page.
;
}
elseif ($check_status == CHECKLOGIN_MAYBEVALID) {
# Not in SSL mode, so reload using https to see if logged in.
header("Location: $TBBASE/index.php3");
}
}
# Fall through; display the page.
}
......
......@@ -505,7 +505,10 @@ function LOGGEDINORDIE($uid, $modifier = 0, $login_url = NULL) {
}
break;
case CHECKLOGIN_MAYBEVALID:
USERERROR("Your login cannot be verified. Are cookies turned on? ".
# This error can happen if a user tries to access a page with
# via http instead of https, so try to redirect to https first
RedirectHTTPS(); # will not return if accesses via http
USERERROR("Your login cannot be verified. Are cookies turned on? ".
"Are you using https? Are you logged in using another ".
"browser or another machine? $link", 1, HTTP_403_FORBIDDEN);
break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment