Jump to content


Photo
- - - - -

PL adding https to stylesheet links

https ssl

  • Please log in to reply
5 replies to this topic

#1 infogroupsmb

infogroupsmb

    Advanced Member

  • Members

  • 37 posts
  • Country: Country Flag

Posted 25 April 2013 - 07:27 PM

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  122.48KB   9 downloadsWP v3.5.1

PL v2.4

Only part of the domain is on WP, ex: 

Please Login or Register to see this Hidden Content

 

So this behavior has happened twice now, with no apparent cause.  A week ago when saving Site Options PL added https to several of the stylesheet links.  I could tell it was PL because the ones that I en-queued weren't https, just the PL ones.  This caused the pages to fail to render properly.  

 

Just today my boss deleted a couple user accounts, which may have caused PL to save settings again, and all of a sudden we had https back for the PL stylesheets and the site wouldn't render.

 

In both cases the solution was to go back into the PageLines > Site Options and just save.  then the stylesheets were restored to regular http.

 

No one was logged in under https as the admin interface won't even load if I try https.  

 

I'm attaching a screen shot of the stylesheet links as they are now, and I highlighted a few of the stylesheets that were turned into https links.  

 

Though we have a fix once it breaks it isn't acceptable for us to move our whole www domain to WP/PL if it randomly switches to https so we need to figure out the cause and a preventative fix.



#2 Simon_P

Simon_P

    Messer

  • Administrators



  • 8388607 posts
  • LocationDevon
  • Framework Version:2.1.1
  • Country: Country Flag

Posted 25 April 2013 - 09:11 PM

There is no setting that would make those urls ssl.

 

1. the page is ssl, so the css urls are made ssl too, this is done by wordpress.

2. you have added a filter to force a page ssl.

3. you are using a plugin to force a page as ssl.

 

You are using the framework in a different folder and are also using an older version.

 

I have no idea what the Header and Footer sections are.

 

The sections caches and css are stored in the database to save process time. So what *might* be happening is the cache times out, someone views a https url, stuff is cached so the non https urls share the same data.

 

Using mixed ssl/non-ssl pages are always going to be a hack. Thats why if your going to use one, just add the actions/filters described many times in the forums here to force all the css urls to be ssl. Then the pages will always be secure and work.



#3 infogroupsmb

infogroupsmb

    Advanced Member

  • Members

  • 37 posts
  • Country: Country Flag

Posted 25 April 2013 - 09:48 PM

To go through the list you had:

 

1. the page isn't SSL.

2. There are no filters to force a page to SSL.

2. There are no plugins installed to force a page to SSL.

 

We are using a child theme of the pagelines theme, our childtheme folder is DotComWordpress

 

The header/footer sections are sections we created, and earlier developer than myself.  They are customized to the particular look and feel that we needed.  The header/footer sections are fed to our .net application side whenever the PageLines > Page Options are saves or any WP Menu is saved.  Part of the .net application is SSL and in order for it to properly display the content being fed to it by WP the links within the header/footer sections are done in https.  

 

However, the stylesheet links in the actual head tag aren't sent to the .net app, and aren't supposed to be https.  The only ones that ever switch are the PL stylesheets and it only seems to happen when a PL setting is saves.  I definitely know that to undo it we simple go in to PL and save the Page Options.  That is why PL is the suspected cause.

 

In playing around I was able to reproduce the exact opposite effect.  If you go to 

Please Login or Register to see this Hidden Content

  you'll see that the scripts and child stylesheet switch to https, but the PL sections stylesheets do not.  That causes the page to fail to render properly as those stylesheets aren't accessible.  

 

The same thing randomly happens in our production environment in reverse.  The scripts and child stylesheet load in http, but the section stylesheets load in https and due to our domain being split over 2 different sets of servers (WP and .net app) the F5 machine doesn't have the SSL certs for the WP server and can't authenticate them and pass them on so the https requrests get blocked.

 

I don't quite follow the statement "The sections caches and css are stored in the database to save process time. So what *might* be happening is the cache times out, someone views a https url, stuff is cached so the non https urls share the same data."  Can you elaborate how this could happen?



#4 James B

James B

    Advocate

  • Members

  • 5126 posts
  • LocationSurrey - UK
  • Country: Country Flag

Posted 25 April 2013 - 10:51 PM

Hi there,

 

I'm not a developer but following what Simon's mentioned above you'll need to use the following filter to force the css and sections to be ssl.

Please Login or Register to see this Hidden Content

The full thread relating to the above code can be found here -

Please Login or Register to see this Hidden Content



#5 infogroupsmb

infogroupsmb

    Advanced Member

  • Members

  • 37 posts
  • Country: Country Flag

Posted 26 April 2013 - 03:02 PM

Well the problem is that the links are being forced to SSL...and we don't want them to be.  And it appears to randomly occur when PL settings are saves, sometimes their SSL, sometimes not.  Is there a pl_force_not_ssl or can pl_force_ssl be set to __return_false to guarantee the css isn't ever put into ssl?



#6 James B

James B

    Advocate

  • Members

  • 5126 posts
  • LocationSurrey - UK
  • Country: Country Flag

Posted 26 April 2013 - 11:23 PM

The page css should be non ssl as standard, so its something between having half the site using ssl and half not that seems to be causing the problem.

 

There's no hook for pl_force_not_ssl that I'm aware of, I'd imagine setting the ssl to return false would be the same as what the normal framework does anyway.

 

I will check with the developer what the options would be to set the css/sections to never cache and re-generate on each page, to see if this would be a possible solution.