Google chrome redirect from https to http in my yii2 application

Question

since yesterday, I have a problem with the google chrome. If i submit form, chrome redirect me from https to http. I'm using yii2 application function $this->redirect()

Do you know how to solve this?

It only happens in google chrome from yesterday.

Thank you very much.

I would suggest checking if the form doesn't have absolute url with `http` protocol in its action attribute. You can also check the configuration of your url manager if the http isn't forced in its `$hostInfo` property. — Michal Hynčica, Dec 15 '20 at 12:45

score 2 · Accepted Answer · edited Dec 16 '20 at 02:38

2

Add in top of the index.php:

$_SERVER['HTTPS']='on';

Issue 1158169: Form is not Secure issue on new version fo chrome

edited Dec 16 '20 at 02:38

Gander

1,854
1
23
30

answered Dec 15 '20 at 14:15

Marko Petelin

36
1

eniel.rod · Answer 2 · 2020-12-17T00:38:17.037

I don't think Chrome is the problem (or maybe it is, but you have to do something server-side for these kinds of situations). It seems to be related to your server configuration. At the end you open the form in HTTPS, submit it, and then it is on the server that you do the redirection.

So, you must find out how to force the use of HTTPS, but from the server, you cannot delegate that responsibility to the browser (not entirely).

Check this post "How to force your site to redirect to https"

I don't know, maybe I'm missing something here. If you can detail more about what happens in that redirect please.

EDIT

It turns out that if there are ways to force the browser to use HTTPS, and it is with HSTS. Thanks to Michal Hynčica.

Check out this post What Is HSTS and How Do I Implement It?

About the solution $_SERVER['HTTPS']='on'

Is this some kind of hack? Shouldn't this environment variable take the value automatically?

In the end there is something wrong here, because $_SERVER['HTTPS'] = 'off', or if it's not set at all, means that the request was not made over HTTPS, or it could also be that the server is behind a reverse proxy or a load balancer.

I think this is like fooling Yii, specifically the following functions:

web/Request.php

public function getIsSecureConnection()
    {
        if (isset($_SERVER['HTTPS']) && (strcasecmp($_SERVER['HTTPS'], 'on') === 0 || $_SERVER['HTTPS'] == 1)) {
            return true;
        }
// Rest of the function
}

ServerRequest.php

public static function getUriFromGlobals()
{
        $uri = new Uri('');

        $uri = $uri->withScheme(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http');
// Rest of the function
}

Why isn't _SERVER[“HTTPS”] set to 1?

Detecting HTTPS vs HTTP on server sending back nothing useful

You can delegate that responsibility to client using [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). But you should still make sure any request coming through http is redirected to https as described in the answer. — Michal Hynčica, Dec 15 '20 at 12:49

score 0 · Answer 3 · answered Dec 16 '20 at 22:52

0

If the redirect traffic between your load balancer and server is http ensure that the offloaded servers are have ssl enabled

answered Dec 16 '20 at 22:52

Jainender Chauhan

749
1
4
5

Google chrome redirect from https to http in my yii2 application

3 Answers3

EDIT

About the solution $_SERVER['HTTPS']='on'