POST data lost in HTTPS load without server name... why?

[Orthoducks]

The problem: when the site loads a page using HTTPS, the new page is loaded but $_POST is empty.

I figured out how to fix it, but I'm posting for two reasons. First, to ask for insight into why the problem happened. Second, to help anyone who encounters the same problem.

I first tested the site with a temporary URL provided by the hosting service. This had the form servername.hostname.com/~accountname. For this test I used a self-signed certificate which covered servername.hostname.com. Everything worked.

Then I assigned the site its own domain name, created a certificate for www.owndomain.com, and tested again. That is when the problem occurred.

The cause: I was generating the URL of the HTTPS page without a server name; that is, in the form https://owndomain.com instead of https://www.owndomain.com.

I have a rewrite rule that rewrites owndomain.com to www.owndomain.com, and I suspect that has something to do with the problem. I believe a rewrite rule must explicitly incorporate parameters into the rewritten URL if it wants them, but since I'm using POST, not GET, I shouldn't have to do that (and can't).

More experienced developers, please: any insights into what happened?

[TimIgoe]

When you do a redirect, the post data indeed will be lost for some types, you can set a redirection to ask the user if post data should be re-sent, a 307 i think it is (off hand).

You should be doing the redirect THEN dealing with the https to sort the problem with needing an ssl for both.

Equally, could you not correct the post requests to post to the correct url (www. ) to avoid the redirectoin?

[dklynn]

OD,

I'm pleased that you found the answer (using the correct www'd version to match the certificate) but I do not understand why the $_REQUEST array ($_POST and $_GET) are affected in any way. Saying that, there must be something in your .htaccess which is doing that to you. Care to post it all (mask the domain name - it's not critical) so we can actually help?

Regards,

DK

[Orthoducks]

Tim may have the answer, but I don't entirely understand what he said yet.

I'm posting the .htaccess file for dklynn. Another perspective won't hurt even if Tim is right.

The same .htaccess file is used on two different sites (QA and production), and so contains two mutually exclusive rewrite rules. I'm representing their doman names by aaaaa and bbbbb. This site (the QA site) is bbbbb.

Options +FollowSymlinks
RewriteEngine on
rewritecond %{http_host} ^aaaaa\.com [nc]
rewriterule ^(.*)$ http://www.aaaaa\.com/$1 [r=301,nc]
rewritecond %{http_host} ^bbbbb\.com [nc]
rewriterule ^(.*)$ http://www.bbbbb\.com/$1 [r=301,nc]

[TimIgoe]

That rewrite alone shouldn't do anything if the user has already gone to www. - I can't just remember off hand what a 301 does with POST data.

[dklynn]

OD,

I searched at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html for an Apache code which would resend the $_POST array. It was a quick search but I couldn't find anything (307 is Temporary Redirect). As I don't believe that the Redirect used would alter the $_REQUEST ($_GET, $_POST & $_COOKIE} array, I didn't expect an array resent code.

Your mod_rewrite code is okay (not preferred - lowercase is not wrong but just not preferred) and the NC in the RewriteRule is ... well, absurd (what case is (.*)?). What your code does is merely force www. on both your domains. Why not merely use:

Code:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .? http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This, too, should not cause the $_REQUEST array to be withheld or altered.

Regards,

DK