-
-
Save mrrooijen/1035084 to your computer and use it in GitHub Desktop.
class ApplicationController < ActionController::Base | |
protect_from_forgery | |
before_filter :secure_with_ssl | |
private | |
def secure_with_ssl | |
if request.subdomain != 'secure' or request.protocol != 'https' | |
redirect_to :subdomain => 'secure', :protocol => 'https' | |
end | |
end | |
end |
I believe I saw it here:
http://railscasts.com/episodes/270-authentication-in-rails-3-1
In Ryan's show notes:
application_controller.rb
force_ssl
private
def current_user
@current_user ||= User.find(session[:user_id]) if session[:user_id]
end
helper_method :current_user
So I assume you can just use the force_ssl
in any controller you want secured with ssl.
Perfect, I'll give it a shot and let you know how it goes.
Thanks again for the great gist & help.
An update --
I'm deploying to Heroku and had issues when utilizing force_ssl while still trying to retain controller specific ssl and had a 'too many redirects' issue with your original code above. In addition to this, I was also getting an error by utilizing 'request.protocol', so I modified things just a bit and all is working wonderfully now.
Controllers where I didn't need SSL --
def no_secure_subdomain_ssl
if request.subdomain == 'secure' or request.ssl? == true
redirect_to root_url(:host => request.domain, :protocol => 'http' )
end
end
Controllers where I did need SSL --
def secure_subdomain_ssl
if Rails.env.production?
if request.subdomain != 'secure' or request.ssl? != true
redirect_to :subdomain => 'secure', :protocol => 'https'
end
end
end
You'll notice in that last one I would check the Rails environment so that I wouldn't have issues in development.
Thanks again for all the help man!
Fantastic, any idea if there is a per controller override for ssl as well if I go this route?
My thinking thus far is that I'll have it turned off for my public landing page, but on for everything else.