Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
1.6, 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7
-
None
-
All
-
Any
-
MOODLE_16_STABLE, MOODLE_19_STABLE
-
MOODLE_20_STABLE
Description
In all versions of Moodle, lib/weblib.php includes a snippet like this:
if (isset($_SERVER['HTTPS']))
{ $protocol = ($_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://'; }else if (isset($_SERVER['SERVER_PORT']))
{ # Apache2 does not export $_SERVER['HTTPS'] $protocol = ($_SERVER['SERVER_PORT'] == '443') ? 'https://' : 'http://'; }else
{ $protocol = 'http://'; }This doesn't work behind an SSL accelerator (an appliance that converts https: to http
. A better approach:
if (isset($_SERVER['HTTPS']))
{ $protocol = 'https://'; }else if (strncmp($CFG->wwwroot, 'https', 5) == 0)
{ $protocol = 'https://'; }else
{ $protocol = 'http://'; }Also, there are lots of snippets like str_replace('http','https', ...) that break if the host name accidentally includes 'http'. They must be str_replace('http:', 'https:', ...) at the least.
A still better approach would be to use relative URL! And the default protocol must always be derived from the $CFG->wwwroot, not from $_SERVER['HTTPS'] or the port number.
Attachments
Issue Links
- has been marked as being related by
-
MDL-17754 Session improvements and related rewrites
-
- Closed
-