HTTPS support


Using IF 2016, what do I need to do to ensure HTTPS is fully supported?
I still have img URLs that use HTTP although the forum itself is accessed through HTTPS.
For example:
<img src="http://www.componentspace.com/Forums/Uploads/Photos/39832c4d-75df-404f-9601-7fae.png"I saw a KB article which said to set the Application URL under General Settings.
I set this to https://www.componentspace.com/Forums/ but it made no difference.
How do I get the pages including images etc to render fully using HTTPS?
Thanks.



Hi Gavin,

Great to hear from you. I hope things are well. Thank you as always for your post. I'm afraid setting the Application URL via the Admin CP / General Setting page to use https:// won't automatically update images already embedded within posts.  If you've recently switched to https from http images uploaded within posts before the switch will still reference http://.

Of course this will cause mixed content warnings and flag the page as insecure in browsers. I'm afraid we need to use absolute URLs for image uploaded within posts due to the way our URL rewriting works. We stay away from absolute URLs in other areas to avoid issues like this. 

To resolve this Gavin the easiest option would be to execute some TSQL script to perform a global find and replace for those URLS within posts. 

I've provided some example TSQL you could use below...

DECLARE @find nvarchar(2550)
SET @find = '<img src="http://www.componentspace.com/';

DECLARE @replace nvarchar(2550)
SET @replace = '<img src="https://www.componentspace.com/';

DECLARE @postId int
DECLARE @message nvarchar(max)

DECLARE MSGCURSOR CURSOR FOR
SELECT PostID, [Message]
FROM InstantForum_Messages

OPEN MSGCURSOR

FETCH NEXT FROM MSGCURSOR
INTO @postId, @message

WHILE @@FETCH_STATUS = 0
BEGIN

DECLARE @index int
SET @index = CHARINDEX(@find, @message);
IF (@index > 0)
BEGIN

SET @message = REPLACE(
@message,
@find,
@replace)

UPDATE InstantForum_Messages SET
[Message] = @message
WHERE PostID = @postId

PRINT CAST(@postId AS nvarchar(255))

END

FETCH NEXT FROM MSGCURSOR
INTO @postId, @message

END
-- tidy cursor
CLOSE MSGCURSOR
DEALLOCATE MSGCURSOR

GO


If a replace is performed the PostID will be written to the SSMS output window. I hope this example helps you resolve the problem. If I can assist further Gavin of course please don't hesitate to respond.

http://www.instantasp.co.uk/images/line.gif
Kindest Regards,

Ryan Healey



ryan@instantasp.co.uk
www.instantasp.co.uk
Blog | Community | Docs

http://www.instantasp.co.uk/core/assets/images/email/facebook.png http://www.instantasp.co.uk/core/assets/images/email/twitter.png http://www.instantasp.co.uk/core/assets/images/email/google.png http://www.instantasp.co.uk/core/assets/images/email/linkedin.png

Hi Ryan
I'm well. I hope all's well with you.
Thank you for the TSQL.
Just to confirm, is InstantForum_Messages the only table that would require updating?
Also, does the Application URL ensure future messages will be stored with the correct https URL?
Regards
Gavin




gavbray - Wednesday, August 23, 2017 6:15 AM
Hi Ryan
I'm well. I hope all's well with you.
Thank you for the TSQL.
Just to confirm, is InstantForum_Messages the only table that would require updating?
Also, does the Application URL ensure future messages will be stored with the correct https URL?
Regards
Gavin



Hi Gavin,

Thank you for your response. Apologies for my delay. That's correct you should only need to run this against the InstantForum_Messages table. This is the only table that may still reference http links. Other uploads such as user photos, banner images are stored using a relative path from your application root within InstantASP_Users. 

Updating the General Settings Application URL and providing a hardcoded https URL will ensure if your site allows both http & https InstantForum will always use https. For example if a user requests the following page http://www.componentspace.com/forum/ this will be loaded over regular http. However as you've hard coded a https URL via the Application URL all links on the page (links to forums, profiles, topics etc) will use https. For example if the user clicked a forum name they would be redirected to the secure version of your site to https://www.componentspace.com/forum/forumname/

If you don't supply an Application URL via the General Settings InstantForum will just use whichever protocol the request came in on to generate further links. All JavaScript & CSS embedded within InstantForum pages use relative URLs so will be served over the same protocol used to serve the initial page request. 

I hope this helps Gavin. If you still have any issues after running the above TSQL or see any mixed content warnings of course please pop a link to the page here and I'll certainly investigate further.

http://www.instantasp.co.uk/images/line.gif
Kindest Regards,

Ryan Healey



ryan@instantasp.co.uk
www.instantasp.co.uk
Blog | Community | Docs

http://www.instantasp.co.uk/core/assets/images/email/facebook.png http://www.instantasp.co.uk/core/assets/images/email/twitter.png http://www.instantasp.co.uk/core/assets/images/email/google.png http://www.instantasp.co.uk/core/assets/images/email/linkedin.png

Perfect. Thanks Ryan. I'll remove the Application URL in that case.
I'll try the DB update later in the week.



Hi Ryan
I finally got the chance to run your TSQL but I'm still getting http:// links in the HTML.
I see there are rows with <img> elements with alt and data-download-url attributes with http:// URLs.
I modified your TSQL to updates these as well.
Also, although the table contains 1879 rows, only 30 were affected.
If I look at some of the non-affected rows I don't see any URLs.
Does that make sense?
I'm not sure why only a few rows include <img> HTML when all the forum topics I looked at as well as the main forum page etc include http:// URLs.
What else do I need to do to remove the http:// URLs?
Regards
Gavin



Hi Gavin,

Thank you so much for your response. I'm sorry to hear his didn't fully resolve the problem. 

Taking a closer look at your site today I can see a few images that are still being loaded over http://. It seems your profile photo is still being loaded over http://. You can see this below...



Whilst by default we don't use absolute URLs for profile photos it is possible to provide an absolute URL for the profile photo within the database and InstantForum will still display this correctly. We did use absolute URLs in a previous version so still support this for customers upgrading. I wonder if this is the case or if this was manually added to the database.

You can take a quick look via SQL Server Management Studio using the following query. This will show you all the URLs stored in your database for profile photos...

SELECT PhotoImage FROM InstantASP_Users


If you see absolute URLs within the results that are still using http these are likely the problem. 

You can use the similar TSQL script below to iterate through the profile photos and ensure if they are an absolute URL that contains http then this is replaced with https... 

DECLARE @find nvarchar(2550)
SET @find = 'http://';

DECLARE @replace nvarchar(2550)
SET @replace = 'https://';

DECLARE @userId int
DECLARE @photo nvarchar(max)

DECLARE MSGCURSOR CURSOR FOR
SELECT UserID, PhotoImage
FROM InstantASP_Users

OPEN MSGCURSOR

FETCH NEXT FROM MSGCURSOR
INTO @userId, @photo

WHILE @@FETCH_STATUS = 0
BEGIN

DECLARE @index int
SET @index = CHARINDEX(@find, @photo);
IF (@index > 0)
BEGIN

SET @photo = REPLACE(
@photo,
@find,
@replace)

UPDATE InstantASP_Users SET
PhotoImage = @photo
WHERE UserID = @userId

PRINT CAST(@userId AS nvarchar(255))

END

FETCH NEXT FROM MSGCURSOR
INTO @userId, @photo

END
-- tidy cursor
CLOSE MSGCURSOR
DEALLOCATE MSGCURSOR

GO


If the problem persists Gavin this would possibly suggest an hard coded application URL via the Admin CP > General Settings page has been provided and is not using https. Ensure this reads https://www.componentspace.com/Forums/.

Both TSQL scripts will only modify the rows that match the @find value. All other rows will be ignored which may explain why you only see 30 rows being affected. I hope I've understood this correctly. Of course please don't hesitate to correct me here if I'm not understanding correctly. 

I hope the above helps Gavin. I look forward to hearing from you and assisting further,

http://www.instantasp.co.uk/images/line.gif
Kindest Regards,

Ryan Healey



ryan@instantasp.co.uk
www.instantasp.co.uk
Blog | Community | Docs

http://www.instantasp.co.uk/core/assets/images/email/facebook.png http://www.instantasp.co.uk/core/assets/images/email/twitter.png http://www.instantasp.co.uk/core/assets/images/email/google.png http://www.instantasp.co.uk/core/assets/images/email/linkedin.png

Thanks Ryan. That did the trick.
One thing I noticed in the PhotoImage table is that some URLs are absolute and others are not.
For example, the following entries are from that table.
https://www.componentspace.com/Forums/Uploads/Photos/....png
Uploads/Photos/...png
Should I be able to remove the https://www.componentspace.com/Forums/ from the entries in this table or is it better to leave the absolute URLs?



gavbray - Tuesday, September 5, 2017 3:24 AM
Thanks Ryan. That did the trick.
One thing I noticed in the PhotoImage table is that some URLs are absolute and others are not.
For example, the following entries are from that table.
https://www.componentspace.com/Forums/Uploads/Photos/....png
Uploads/Photos/...png
Should I be able to remove the https://www.componentspace.com/Forums/ from the entries in this table or is it better to leave the absolute URLs?


Hi Gavin,

I'm pleased to hear this helped :)

Yes providing the images are local on your server (within the uploads folder) you can safely remove your absolute URL from the PhotoImage field. To ensure all images are served over https going forward I would ensure your Application URL field within the Admin CP > General Settings page reads https://www.componentspace.com/Forums/ as shown below...



It's worth noting if you enable Windows Azure Blob Storage within InstantForum the absolute URL to the blob storage container will always be stored within the InstantForum database for profile photos, images embedded within posts as the images of course don't exist locally on your server. Azure uses https by default so mixed content warnings should not be an issue but I just wanted to mention this. 

I hope the above helps Gavin. Of course if I can assist further with anything please don't hesitate to respond.

http://www.instantasp.co.uk/images/line.gif
Kindest Regards,

Ryan Healey



ryan@instantasp.co.uk
www.instantasp.co.uk
Blog | Community | Docs

http://www.instantasp.co.uk/core/assets/images/email/facebook.png http://www.instantasp.co.uk/core/assets/images/email/twitter.png http://www.instantasp.co.uk/core/assets/images/email/google.png http://www.instantasp.co.uk/core/assets/images/email/linkedin.png

Thanks Ryan.
GO

Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....








InstantASP Forums


Search