The Slim Framework support forum has moved to http://discourse.slimframework.com. This Tender forum is no longer maintained or monitored.

Updated ContextSensitiveLoginLogout example to Slim 2.x

Brian Nesbitt's Avatar

Brian Nesbitt

06 Dec, 2012 02:19 PM

I updated my ContextSensitiveLoginLogout example to work with Slim 2.x and blogged about it here:
http://nesbot.com/2012/12/6/updated-ContextSensitiveLoginLogout-exa...

  1. 1 Posted by David Rodger on 06 Dec, 2012 11:54 PM

    David Rodger's Avatar

    Thanks for the update, Brian.

    One thing I've been wondering and not seen discussed here (sorry if I missed it) is how to switch between http and https... for example, redirect to a secure login page.

    Any pointers? Thanks

  2. Support Staff 2 Posted by Brian Nesbitt on 09 Dec, 2012 05:27 AM

    Brian Nesbitt's Avatar

    Assuming the site is all https after the login, not sure there is anything different here? You just have to watch your cookies on a per domain basis. If I remember right they aren't shared across https/http. So the only part that doesn't work is saving the initial urlRedirect to the session and the flash error (since that is a session cookie as well). Knowing these, you can just pass them as query string data on the redirect to the https login page and change any http in the url to https to maintain the session. There are more complicated redirects back and forth between http and https that used to be used but I think those are long gone. It was mostly because of the overhead of the https encryption on server CPU and bandwidth but its not so much a concern anymore.

    I think everything else stays the same after that ?!?

  3. 3 Posted by David Rodger on 09 Dec, 2012 07:13 AM

    David Rodger's Avatar

    Thanks, Brian. But I'm not sure I explained it well enough. Since Slim has a mechanism for redirecting, is there a way to switch between http and https with that?

    ...Maybe using a utility function like urlFor(), or even just specifying a path which would match a route pattern?

  4. Support Staff 4 Posted by Brian Nesbitt on 11 Dec, 2012 01:17 PM

    Brian Nesbitt's Avatar

    Not that I can think of... nothing specific. I don't think it would be too hard to add some utility stuff around that though.

    The only https item I have on my radar is specifying that a route is only matched against an https url.

  5. 5 Posted by David Rodger on 12 Dec, 2012 12:51 AM

    David Rodger's Avatar

    What about changing Slim::urlFor() to something like...

    public function urlFor($name, $params = array(), $switchScheme = false) {
        $uri = '';
        if($switchScheme) {
            $scheme = (substr($this->environment['slim.url_scheme'], -1) == 's') ? 'http' : 'https';
            $uri .= $scheme.'://'.$this->env['SERVER_NAME'];
        }
        return $uri . $this->request->getRootUri() . $this->router->urlFor($name, $params);
    }
    

    I haven't tried this (just thinking out loud, so to speak). The idea is that if the scheme is to be switched, the full URL including the domain should be returned.

  6. Support Staff 6 Posted by Brian Nesbitt on 14 Dec, 2012 01:33 PM

    Brian Nesbitt's Avatar

    I think I would just get the user to optionally specify the scheme. How often do you want to just switch it? Usually, I think, when the call is being made the desired scheme would be known.

    Yes, if it was different than the current scheme then full url would be used.

    The other option that has been talked about (and I have on my to do list) is to add a https helper to the routes. When you define a route you can specify it can only be matched with http or https ... similar to the name() or conditons() methods. Something like..

    $app->get('/login', function() {
       // do something
    })->name('login')->httpsOnly();
    

    This would force the page to be matched against an https scheme only. And then there could be an optional redirect parameter that would indicate to match it against http but first perform a redirect to the same url with https.

  7. 7 Posted by David Rodger on 15 Dec, 2012 09:36 AM

    David Rodger's Avatar

    How often do you want to just switch it?

    I have to admit my thinking is influenced by a project I'm currently working, but it's not so far from many web apps. It seems to me that it's fairly common to maintain state using a session storage mechanism rather than HTTP authentication, but to have the user log in via HTTPS. So one would use HTTP most of the time, but use HTTPS for the GET and POST methods of a login page.

    In that respect your suggestion of chaining an httpsOnly() method to a route is a very good one, but on its own it doesn't solve the issue of generating the HTTPS URI.

    But it would be churlish to complain. I'm enjoying using Slim very much and I also enjoy this particular community that surrounds it.

  8. Support Staff 8 Posted by Brian Nesbitt on 15 Dec, 2012 02:35 PM

    Brian Nesbitt's Avatar

    Ok, but something like this?

    $app->get('/login', function() use ($app) {
       if ($app->request()->getScheme() !== 'https') {
          $app->redirect('https://domain.com/login');   // <== replace with urlFor() schemeSwitch?
       }
    })->name('login');
    

    Even in that case you know its not https and you want to change it to https... rather than just randomly switching schemes you still know you want to specify https. Are you using it another way that I am not thinking of?

    Not sure if you might be doing this in a route middleware? Something generic like this I think is the best for now.

    $requireHttps = function ($route) use ($app) {
       $req = $app->request();
          
       if ($req->getScheme() === 'https') {
          return;
       }
    
       if ($route->getName() === null) {
          throw new \RuntimeException('Secure route requires a name!');
       }
    
       $app->redirect('https://'.$req->getHost().$app->urlFor($route->getName()));
    };
    
    $app->get('/login', $requireHttps, function() use ($app) {
       // do something knowing we are already https
    })->name('login');
    

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac