0

I am facing one interesting issue. I am replacing my production url [https://www.draoms.com/] with the other url [http://www.draoms.com/login.cfm ] (it’s the same url, just I am appending file name which is executing initially). The problem now is – when I hit the url www.draoms.com it is refreshing continuously…. like in a loop.

This is a production environment, so I cannot directly go and change there. Need to be confident before doing any such changes on prod. Hence taking your help. Thanks in advance.

My application is in ColdFusion.

The code is which I wrote inside index.cfm :

<script>
document.location.replace("http://www.draoms.com/login.cfm");
</script>
Vasu
  • 319
  • 5
  • 19
  • 1
    possible duplicate of [Detect HTTP or HTTPS then force HTTPS in JavaScript](http://stackoverflow.com/questions/4723213/detect-http-or-https-then-force-https-in-javascript) – Regular Jo Dec 17 '14 at 06:24
  • That's ok. This is just to force your http to https using JS. My question is - when I replaced the url from https to http, it is refreshing the url in a loop. – Vasu Dec 17 '14 at 06:47

1 Answers1

3

I guess my question, before going any further, is to ask why you want to redirect to http? Half the integrity of a secure connection is the data being transmitted from a secure point. Lots of sites let users browse pages that don't involve user input ("Home", "About Us") over a standard http connection but when you link to the page with the login form. You go to https://.

A great related-question: https://security.stackexchange.com/questions/1692/is-posting-from-http-to-https-a-bad-practice.

Anyway, the trouble with your javascript is that you aren't checking the the protocol, so you're just infinitely telling the page to redirect.

You can easily adapt the answer from this question: Detect HTTP or HTTPS then force HTTPS in JavaScript

The trouble is that this really isn't a task for javascript. .htaccess/IIS-rewrite can do this for you.

Do you want every https page to redirect to its http:// counterpart? URL rewriting via .htaccess or IIS can do this.

You can learn a lot from this answer: Rewriting URLs from https:// to http:// in IIS7 for IIS.

You can learn from this answer for .htacess: Https to http redirect using htaccess

Cold Fusion can also do this but I prefer to let .htacess handle sitewide redirects.

<cfif cgi.https eq 1>
  <cflocation url="http://www.draoms.com/login.cfm">
</cfif>

You can redirect every https-accessed page to this, you each page to it's http counterpart using something like this.

<cfif cgi.https eq 1>
  <cflocation url="http://www.draoms.com/#cgi.script_name#?#cgi.query_string#">
</cfif>

Again, if it's a global operation especially, I feel like .htaccess or IIS handles this exquisitely.

Community
  • 1
  • 1
Regular Jo
  • 5,190
  • 3
  • 25
  • 47
  • I actually didn't wanted to use http. But somehow requirement comes like this way. But I am surely gonna change it to https as suggested by you. So are you saying that the page refresh is due to this incompatibility of the url from https to http? With 'https' was the original url before. – Vasu Dec 17 '14 at 07:09
  • @Vasu `` This code doesn't look for `https://`, it just redirects the user to the http page, even if they're already on the http page. The javascript I linked suggests you use `if (window.location.protocol == "https:") { document.location.replace("http://www.draoms.com/login.cfm"); }` – Regular Jo Dec 17 '14 at 08:09