Auto ReDirect http --> https on first page landing

[andyhill]

I want to make every user use our digital certificate (https), my code below has no effect - please advise - thanks.

 

  if UniSession.SSL = False then begin

    if DB.WantHTTPS = True  then begin

      s:= UniSession.UrlReferer;

      s:= StringReplace(s, 'http', 'https', [rfReplaceAll]);

      UniSession.UrlRedirect(s);

      Close;

    end;

  end;

 

 

[Sherzod]

http://www.unigui.com/doc/online_help/configure_unigui_server.htm

[andyhill]

I have no problems with SSL, all my SSL code works when the user types https://domainname.com

 

What I want to do if the user types http://domainname.com then reroute them to https://domainname.com automatically.

[Sherzod]

This post can help you:

http://forums.unigui.com/index.php?/topic/9184-redirect-http-to-https/

[andyhill]

How and where do I implement this within the Delphi code:-

 

procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);

begin

  if UniSession.SSL = False then begin

    UniSession.AddJS('window.location.href = ''https:'' + window.location.href.slice(5); ');

 

or

 

procedure TLoginmForm.UniLoginmFormCreate(Sender: TObject);

begin

  if UniSession.SSL = False then begin

    UniSession.AddJS('window.location.href = ''https:'' + window.location.href.slice(5); ');

 

 

 

either way it has no effect ?

[pedrisco]

I'm gonna try to recapitulate, but i'm not a web guru so please feel free to correct me if i'm wrong...

 

When you enable SSL, standard way is using port 443 to serve secure layer, and unsecure html is still served at 80.

If you serve any of this protocols in any non standard port (secure=443, not_secure=80), the browser will take the protocol prefixed in the URL (http://=>not secure, https://=>secure), when you use the standard way you can redirect using javascript because the html page was retrieved from the unsecure/plane http port, when you don't you cann't use javascript unless the user writes the right (not secure) port in the url (p.ej. http://yourdomain.com:81).

 

So, you have two stages:

1.Using standard ports.

2.Using non standard ports, lets say https at 444 and http at 81.

 

In the stage 1, you have 3 common stages:

 1.a ) The user writes http://yourdomain.com, so the "redirector javascript" does its job.

 1.b ) The user writes https://yourdomain.com, so the "redirector javascript" has nothing to do (...).

 1.c ) The user writes "yourdomain.com", so the browser tries prefixing "http://", if nothing is found (no response) tries "https://" and goes on.

 

In the stage 2 (non standard ports), you have:

 2.a ) The user writes http://yourdomain.com:81, then the "redirector javascript" does its job.

 2.b ) The user writes https://yourdomain.com:444, then the "redirector javascript" has nothing to do (...).

 2.c ) The user writes "yourdomain.com:444", but your server is serving "https" in this port,  so your browser retrieves encrypted data when is expecting unencryted data, so the browser doesn't "understand" the data so its content is not interpreted, so the javascript won't do the job.

 

I don't know how work IIS and Apache in this context, but the only way i know to redirect from http to https without being forced to serve http somewhere, is using a dns level redirect (masking, forwarding, page-rule, etc.).

 

Hope it helps.

[andyhill]

Thank you pedrisco.

 

My WebApp runs on a local LAN which is accessible publicly via Port Forwarding on the Router Gateway. We route 80 and 443 which all works perfectly.

 

My WebApp knows when we are not in Secure Mode.

 

So, I need to get the browser to approach the URL with "https" port in order to route correctly.

 

I need to be able to re-direct the browser if not in secure mode.

 

  if UniSession.SSL = False then begin

    UniSession.AddJS('window.location.href = ''https:'' + window.location.href.slice(5); ');

  end;

 

I have this code in the MainModule Create as well as the first Form shown create.

 

The UniSession.AddJS is sent but no browser change takes place.

 

Please advise - thanks.

 

[andyhill]

I have come up with a work around for my environment.

 

As general information I have included my redirect research below.

 

        JavaScript Redirect Methods

        //////////////////////////////////////////////////////////////////////////

        // Sets the new location of the current window.

        window.location = "https://www.example.com";

 

        // Sets the new href (URL) for the current window.

        window.location.href = "https://www.example.com";

 

        // Assigns a new URL to the current window.

        window.location.assign("https://www.example.com");

 

        // Replaces the location of the current window with the new one.

        window.location.replace("https://www.example.com");

 

        // Sets the location of the current window itself.

        self.location = "https://www.example.com";

 

        // Sets the location of the topmost window of the current window.

        top.location = "https://www.example.com";

 

        Though the above lines of JS code accomplish a similar job in terms of redirection,

        they have slight differences in their usage. For example, if you use top.location redirect within an iframe,

        it will force the main window to be redirected. Another point to keep in mind is that location.replace()

        replaces the current document by moving it from the history, hence making it unavailable via the Back button of the browser.

 

        It is better to know your alternatives but if you want a cross-browser compliant JavaScript redirect script,

        our recommendation will be to use the following in your projects:

 

        window.location.href = "https://www.example.com";

[pedrisco]

Good to know,

and just for the record, in your first snippet you were trying to redirect using "uniSession.SSL" as a control variable. I don't know what uniSession.SSL means, but in my tests no matter the url is (http or https), it acts just like UniServerModule.SSL.enabled. So, uniSession.SSL cann't be used "TO KNOW" whether the browser request was https or http.