Details
-
Type: Bug
-
Status: Open
-
Priority: Trivial
-
Resolution: Unresolved
-
Affects Version/s: 4.7.18
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
-
Verified?:No
Description
While investigating CRM-19609, I saw that the "Force Secure URLs" setting actually duplicates requests to CiviCRM while checking if those requests will be handled correctly.
CRM_Utils_System::redirectToSSL calls CRM_Utils_System::checkURL before redirecting the user
CRM_Utils_System::checkURL requests the URL via GET, and passes through $_COOKIE
For redirected requests which are not idempotent (eg IPN, some API calls, and mail tracking) this seems like it might result in incorrect data?