If i visit the home page on my site (which uses code igniter) my homepage is using http,
Code igniter sets a cookie containing all the session info.
If I then click login, which is using https I get unsecure content warnings, and the only thing I can think of it being is the cookies as If I restart the browser then go straight to https://mysite.com/login then I get no unsecure content warnings.
How can I fix this (Note that the homepage cannot be https).
This error comes from content being served over http to a page that's supposed to be https. For example, an <img>, <link>, or <script>.
The thing with Codeigniter is that it's very likely you're using base_url() or site_url() for full absolute URLs to the embedded content, probably using http.
Here are some things you can do:
Use relative URL's, i.e. <img src="/path/to/images.jpg">
Don't specify a protocol. Example: //example.com/path/to/image.jpg More on this technique here: http://paulirish.com/2010/the-protocol-relative-url/
In the __construct() of the controller that you need to use https (or in the method that needs it), load a different config file that redefines your base url to use https. Note that it will be too late for any scripts/libraries that use the base url for html output before this config file is loaded.
If you load the page in IE, you should get a very nagging error message that will give you a list of all the content that was delivered insecurely to help you troubleshoot (other browsers should have this feature as well, but in IE it's especially prominent).
EDIT: Saw your note that there is nothing on the page being requested via http, only https, and the note about what happens when no cookies are present. My mistake, I just woke up - I should have read the question more thoroughly :p
You are loading unsecure content (usually images/iframes) on your secure (https) login page.
What this means is that you are referencing a link to a page that is not secure (is not https). This will cause the error, and prompt users whether or not to load such content. It's a problem with the links to external content, not your cookies.
Edit: To (temporarily) fix the issue, find any links/references to external content and disable it for the time being, then visit your page and the prompt/error should go away.
To fix the issue, you'll have to download the content or use a file on your site to securely download the content for that page to use.
Related
I currently have a website setup on a Secure server.
When I go to my website, the browser will show the HTTPS secure connection symbol at the start of the page load, but then the symbol will be crossed out (google chrome) or disappear (safari) once the page fully loads.
I understand that any files that are not linked to the particular page through an HTTPS path will cause the page to not be considered secure.
I have setup all of my CSS and JavaScript files as being accessed through https://www.example.com/file however I understand that all of my PHP includes must also be accessed through the HTTPS secure path.
When I set my php.ini file to "allow_url_include = on" it still does not permit me to include using a URL path. I additionally have the "allow_url_fopen = on" set as well, but I am still not able to URL include using https://www.example.com.
Can someone explain to me how I can make it work so that every PHP include is included via HTTPS, so that all of my pages will be shown as HTTPS in a user's browser? (this is an ecommerce website, so this factor is important for my users to see).
I have setup all of my CSS and JavaScript files as being accessed through https://www.example.com/file
Good.
You also need to do that for all your images, and any other resources that get included.
however I understand that all of my PHP includes must also be accessed through the HTTPS secure path.
In general, PHP includes should be done from the file system and not hit HTTP(S) at all (since that is inefficient).
The browser can't see what PHP does though, so it isn't the cause of your problem.
I don't really know what is going on or anything, but I want to make my entire site done in Codeigniter, to be SSL encrypted, EVERYWHERE, but the problem is, I have the base_url in the config set to https://www.mysite.com/
But when I load it up, it shows that the page is unsecure (the red crossed out https on chrome)
I made sure all the images on the page, all the included css/js files, are all using the https as well, and I still get that error...
I have a few http links (internal absolute) on my magento https page. Is it ok to have them for my SSL certificate to be displayed with correct padlock?
Having links to non-http pages is fine. LOADING things from non-https urls is a big nono.
At most the user will get a warning about transitioning from a secure to a non-secure page, but it won't affect the padlock on the page.
HTTP links won't break the padlock. Loading assets (images, scripts, stylesheets) into the page via an unencrypted URL will, though. As long as you aren't actually loading unencrypted content into the page, the page won't throw any warnings about insecure content.
I have url where i host my webinars which is provided by webinar hosting provider. I would like to change that url to something within my domain.
For eg. The webinar url is something like
http://www.onlinemeetingnow.com/seminar/?id=d181a7640e
i would like to change it look something within my domain.
www.mywebsite.com/webinar
Is this possible?
The simplest way of doing this would be to create a PHP script at the desired URL that simply does a readfile () of the target URL. That would give the appearance that your site is hosting the remotely hosted content.
<?php
readfile ('http://www.onlinemeetingnow.com/seminar/?id=d181a7640e');
?>
This approach does require allow_url_fopen to be enabled, which it might not be for security reasons. It also has issues regarding such things as cookies, for example. Say you are using this trick to link to a remote site that requires a login and uses cookies to implement it, people who are logged into the remote site would appear not to be logged in, as their cookie wouldn't be sent to the remote site when you readfile () it.
You could use curl instead, as you have a bit more control, and it doesn't require allow_url_fopen. It still wouldn't be ideal though.
If you can configure your server, you could possibly use something like proxypass or URL rewriting to hide the remote URL.
Other solutions include using an iframe to display the remote site, or using AJAX to load the remote page's markup and inject into your page, but these approaches have their own set of issues that you need to take into account.
In the end, is it really worth the effort needed and the compromises you will have to make to just have the URL appear to be locally hosted when it isn't?
Maybe you want to create that page(s) on your own site and within that page you load the onlinemeetingnow url. This can be done with an iframe or such or you can get the html code from the page (with Curl or something) and than load that into your own page.
Suddenly, my images are not showing up on my site when accessing https pages. No change in my code. My host did have to recompile their ftp service with SSL support after my request (so I could ftpes my site). Can't thing of anything else that would affect my SSL cert. Same thing happens on FF and IE and on different computers.
If I go to your website ( https://www.scfootball.org/ ), I don't see the images, as you said : I get a 403 (Forbidden) error for each one of those -- I can see this using the "Net" tab of the Firefox extension Firebug, for instance.
If I try to see an image directly, without going trough the site (for instance : https://www.scfootball.org/widgets/GulloParkHeader.png ), then, I can see the image.
If you try, make sure you copy-paste the URL to a new tab/window, and not just click on it
Which means there is some kind of trouble between the website and the access to the images ; not on the images themselves.
If I disable the referer in firefox (the web developper toolbar extension allows that easily) and refresh your website's webpage, the images appear.
If I re-enable the referer, and refresh again, then the images don't appear anymore.
Which means there is something, related to the referer, that prevents the images from being sent, and returns a 403 error instead.
Just a wild guess : maybe there's a .htaccess in your widgets directory (or somewhere else) that prevents images from being served, if the referer doesn't correspond to a specific domain ?
Considering the images are displayed on the site when I access it without HTTPS (i.e. with an URL such as http://www.scfootball.org/index2.php ), maybe there is a "protection" in place so your images are not displayed if the Referer is not that non-https website... And that "protection" has not been updated when you switched to HTTPS ?
(I've seen that kind of "protection" used to prevent hot-linking of images, for instance)
This is an old post but, it could be hotlink protection too.
If you turn it on an allowed alias for a http:// domain you gotta for its https:// too, otherwise itll deny your images from being called to client.
I used DJango API to test locally, everything is normal, after deploying SSL, the interface access is normal, but the picture shows 404
Yeah, "not showing up" is a little vague. If the HTML is served by HTTPS and the images are still being served by HTTP, there's a little security leak inherent in the page, which your browser may deal with in one of several, largely ineffectual, ways.