Alternating between HTTP and HTTPS with every page request

Patch fixed the problem for me as well.

Does this patch resolve #420386: Https does not switch back to http properly?
Is this already in the latest dev or has the fix in #1 not added to Secure Pages yet?

+1, I also had this problem and I also like the patch. I'd like to suggest this be fixed - took me a bit of time to track down the redirect loop.

Subscribing

This patch fixed my site too, of course after checking everything else first. Seems odd to have this bug be lingering so long without an official update.

Marking critical since its a bug that completely breaks the functionality of the module through no real fault of the user. Other then that this is ready to go. Critical could seem extreme but at worse this is a major issue because of the difficulty in debugging the problem.

I wasn't able to reproduce this by following the steps posted by fuerst - could someone please post the exact settings needed to trigger the bug? Thanks!

I don't remember how to get the alternating behavior but you can easily produce unexpected behavior by putting "cart "(with space afterwards) and visiting "/cart". Since spaces in urls will be escaped when we check them, this is a pretty reasonable request. I haven't found a way to make a request with a trailing space anyways.

Its been a great many months since I figured out why the alternating behavior was happening but I'm pretty sure it was linked to page caching and the bug fixed by the patch in #1

Thank you, thank you.

I've always had this problem... even when I tried using the patch, upgrading to the 6.x-1.x-dev version, and trying the patch again....

Same problem here. My configuration:

securepages 6.x-1.x-dev + patch
[x] Switch back to http pages when there are no matches

non-secure: h**p://www.example.com
secure: h**ps://www.example.com

[x] Make secure only the listed pages.
default ones

Ignore pages:
default ones

I made sure there are no spaces in any field.

I posted the following response on http://drupal.org/node/587000 but I'm reposting it here because the title of this thread described the behaviour I was getting. (Hoping this helps rather than puts people off the scent, but I notice some folks aren't having any joy with the patch given above.)

My problem was that with a menu containing a link to a non-secure page and a link to a secure page, that alternately clicking on the menu items caused the secure page to be served in the http scheme rather than https. This happened every second time the secure page was requested.

My comment on the other thread was...

"I applied the patch supplied by @pcave at #10 and this solved my redirect problem:

Set up

• page 'nonsecure' should be served with http and 'secure' with https
• both pages have menu items

To reproduce problem

• starting on home page in http and clicking on 'nonsecure' - OK - 'nonsecure' served from cache with http
• then clicking on 'secure' - OK - 'secure' served in https (hook_boot called once in http then a second time in https; securepages_redirect set the first time, stops loop second time, and is unset correctly in hook_init)
• then clicking on 'nonsecure' - PROBLEM - 'nonsecure' served in http, except securepages_redirect is left set
• then clicking on 'secure' - PROBLEM - 'secure' served in http, since securepages_redirect was set and the redirect could not occur

@pcave's patch saves the day by unsetting securepages_redirect once it's been finished with"

I get an alternating behavior as well. See https://www.kingstonchamber.com/ and refresh the page several times. The only difference in my settings is I have selected "Make secure every page..." with <front> in the Pages field. The patch seems to have no effect.

I fixed my problem with Secure Pages by excluding CKEditor from showing up on the Secure Pages Admin Settings page. This might be a problem with any wysiwyg editor in drupal. It adds unwanted html tags.

Goto your wysiwyg editor global profile settings (for CKEditor: admin/settings/ckeditor/editg). Choose 'visibility settings', make sure exclude is checked, then add the following to the 'Fields to exclude/include' text box:

admin/build/securepages.edit-securepages-pages
admin/build/securepages.edit-securepages-ignore

This should be similar instructions for whatever wysiwyg editor you use.

My front page still alternates between http and https even after the patch.

I'm getting this behavior too.

Subscribing

I have this setup:
- Switch between http and https (checked)
- non-secure url and secure url set
- make secure only the listed pages

If I visit a secured page, refreshing the page it switches to non-secured. Basically this is the issue. If I uncheck "switch between http and https", it will work but it's not the behavior I want.

@tugis can you give the values for your settings(sanitized as needed)? Is there anything in your setup that might also be affecting things like a reverse proxy like varnish or squid?

I'm seeing this problem too. I suspect it's interaction with some other module though.

Putting some debug statements in securepages_redirect() I'm seeing this behaviour:

* Load page (that is listed as secure) as insecure
* $path (from $_GET['q']) contains the path alias for the current page, not the node/xxx path that it should
* It matches anyway in securepages_match() and decides to redirect to secure
* Loads on secure, securepages_redirect() is called twice, once from securepages_boot() and once from securepages_init(). The first time, $page is once again the alias (and it recognises that it's secure and no redirect is required), the second, $page is the node path, which returns 0 from securepages_match() and so it redirects back to HTTP.

It doesn't cause a redirect loop though - the effect is that each refresh of the page flip flops between HTTP and HTTPS.

The only thing of note is that I'm not using standard url_alias paths, instead I'm using the D6 backport of the domain_alias module, which allows for per-domain aliases for pages. This means that the second call to securepages_redirect() from hook_init() doesn't resolve the node path to its alias successfully. I suspect this could be the problem.

It looks like $_SESSION['securepages_redirect'] is what prevents the redirect loop.

Also, hook_boot() appears not to have resolved URL aliases by that point, so it makes sense that $_GET still contains the alias I suppose.

I tried a patch to call custom_url_rewrite_outbound() from securepages_match(), but that caused infinite recursion in my hook_url_outbound_alter() (added with my patch from #893840: Support to pre-rewrite links to the correct protocol instead of redirect (patch)), so I guess the solution in my case is to add both the node IDs and aliases of pages that need to be secure.

Please see http://drupal.org/node/587000#comment-4519010.

duplicate of #420712: Front page toggles between HTTP and HTTPS