Fix bug HTTPS detection (issue with IIS)

5 files changed, 29 insertions, 5 deletions

diff --git a/app/Auth/RememberMe.php b/app/Auth/RememberMe.php
index 3cf6fc86..50e0bcef 100644
--- a/app/Auth/RememberMe.php
+++ b/app/Auth/RememberMe.php
@@ -3,6 +3,7 @@
 namespace Auth;
 
 use Core\Security;
+use Core\Tool;
 
 /**
  * RememberMe model
@@ -309,7 +310,7 @@ class RememberMe extends Base
             $expiration,
             BASE_URL_DIRECTORY,
             null,
-            ! empty($_SERVER['HTTPS']),
+            Tool::isHTTPS(),
             true
         );
     }
@@ -342,7 +343,7 @@ class RememberMe extends Base
             time() - 3600,
             BASE_URL_DIRECTORY,
             null,
-            ! empty($_SERVER['HTTPS']),
+            Tool::isHTTPS(),
             true
         );
     }
diff --git a/app/Core/Response.php b/app/Core/Response.php
index 1ccf9f5e..347cdde7 100644
--- a/app/Core/Response.php
+++ b/app/Core/Response.php
@@ -246,7 +246,7 @@ class Response
      */
     public function hsts()
     {
-        if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+        if (Tool::isHTTPS()) {
             header('Strict-Transport-Security: max-age=31536000');
         }
     }
diff --git a/app/Core/Session.php b/app/Core/Session.php
index f072350d..4f44e8e0 100644
--- a/app/Core/Session.php
+++ b/app/Core/Session.php
@@ -35,7 +35,7 @@ class Session
             self::SESSION_LIFETIME,
             $base_path ?: '/',
             null,
-            ! empty($_SERVER['HTTPS']),
+            Tool::isHTTPS(),
             true
         );
 
diff --git a/app/Core/Tool.php b/app/Core/Tool.php
index 85b684e2..e54a0d3b 100644
--- a/app/Core/Tool.php
+++ b/app/Core/Tool.php
@@ -32,6 +32,15 @@ class Tool
         }
     }
 
+    /**
+     * Load and register a model
+     *
+     * @static
+     * @access public
+     * @param  Core\Registry    $registry    DPI container
+     * @param  string           $name        Model name
+     * @return mixed
+     */
     public static function loadModel(Registry $registry, $name)
     {
         if (! isset($registry->$name)) {
@@ -41,4 +50,18 @@ class Tool
 
         return $registry->shared($name);
     }
+
+    /**
+     * Check if the page is requested through HTTPS
+     *
+     * Note: IIS return the value 'off' and other web servers an empty value when it's not HTTPS
+     *
+     * @static
+     * @access public
+     * @return boolean
+     */
+    public static function isHTTPS()
+    {
+        return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== '' && $_SERVER['HTTPS'] !== 'off';
+    }
 }
diff --git a/app/helpers.php b/app/helpers.php
index 0d8409c8..85a2507d 100644
--- a/app/helpers.php
+++ b/app/helpers.php
@@ -65,7 +65,7 @@ function markdown($text)
 
 function get_current_base_url()
 {
-    $url = isset($_SERVER['HTTPS']) ? 'https://' : 'http://';
+    $url = \Core\Tool::isHTTPS() ? 'https://' : 'http://';
     $url .= $_SERVER['SERVER_NAME'];
     $url .= $_SERVER['SERVER_PORT'] == 80 || $_SERVER['SERVER_PORT'] == 443 ? '' : ':'.$_SERVER['SERVER_PORT'];
     $url .= dirname($_SERVER['PHP_SELF']) !== '/' ? dirname($_SERVER['PHP_SELF']).'/' : '/';