http and https caching to same file??

I have been experiencing a problem on a site we developed when switching between http and https, I believe the problem is related to how pages are currently cached in Modx. It seems that there is only one version of a cached page in Modx. This could lead to problems if a page is accessible under both http or https.

For example, if a visitor comes to a page on your site and the page is not cached, the page will be cached (assuming caching is enabled) under whatever protocol was used (ie. http or https). If a second user then visits the page under the other scheme the cached page will be retrieved but the <base href> tag will most likely be using the wrong scheme. This could lead to incorrect behavior when requesting resources, etc and possible lead to a mixed security content warning to visitors of the site.

I have been experiencing this on a recent site we have developed. For now I have disabled caching but I would really like to re-enable it for obvious performance reasons.

It seems the entire caching system is being updated in the 097 release anyway, but something to think about might be to have two buckets for a cached page, one for http and another for https. The caching architecture could look at the protocol of the request and then see if a cached version of the resource for that protocol exists.

Please let me know if my understanding of how caching in modx is correct.
Thanks, Mike

I don’t believe you should ever allow access to single page from both http and https. That would kind of defeat the purpose would it not?

True, normally if a page requires SSL, we force that page to requested under https.

Here is the case I am talking about, we have a public website for an application written in java. All the public pages can be viewed under regular http. The java application requires SSL, the java app has the URL of https://www.sitename.com/app

All the links in the java application that point to the public pages do use links like: http://www.sitename.com/faq
It is possible for a user to type in the address, or somehow (read error in our linking from the java app) access the page: https://www.sitename.com/faq

Technically this page should work under https, even though it’s also visible under http. I don’t recall a way in Modx to switch schemes (ie. this page should always be http), I guess I could add a rewrite rule to handle this. I’ll look into that.

Thanks for the reply.
Mike

Rewrite rules will be best if no MODx pages need to be https; otherwise, you could use a plugin to see if the specific page being requested should be served by the requested protocol or switch to the other (i.e. http vs https). This is what I’ve done on sites where some pages needed to be served https while forcing others to http.

A little snippet, a placeholder and a TV would solve your problem.

The snippet checks if we have to use SSL or not. Get the value of your ssl TV.
If ssl is required, use
$modx->setPlaceholder(’baseHref’, ’https://www.domain.tld’);
if not, use:
$modx->setPlaceholder(’baseHref’, ’http://www.domain.tld’);

To prevent access to your SSL pages via http, you could fetch the TV value, and if SSL should be on, use:
if (’on’ != $_SERVER[’HTTPS’]) {
// do a redirect or display warning...
}

(preferrably right at the top of your template)