I have been poking code around for better SSL support for my current needs with SS. I think this will help you out some. Drop this function in your Page_Controller.php:
/**
* Beginnings of a patch for proper SSL on actions support
*
* Using my own over Director::forceSSL() because those functions ignore SSL
* when a site is in Dev mode...which makes testing SSL unmanageable.
*/
protected function _checkSSL() {
$needSSL = $inSSL = $destURL = false;
$inSSL = ( isset($_SERVER['SSL']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ) ? true : false;
// Get static $ssl_actions and see if we need SSL
// How do we get the topmost $ssl_actions or do we want to inherit parents with combined_static?
if($all_ssl_actions = Object::combined_static($this, 'ssl_actions') and is_array($all_ssl_actions) ) {
$action = $this->getRequest()->latestParam('Action'); // $this->getAction() always empty??
if( in_array($action,$all_ssl_actions) or
(in_array('index',$all_ssl_actions) and is_null($action) ) ) {
$needSSL = true;
}
}
if( $needSSL and !$inSSL ){
$destURL = str_replace('http:','https:', Director::absoluteURL($_SERVER['REQUEST_URI']));
} elseif( !$needSSL and $inSSL ) {
$destURL = str_replace('https:','http:', Director::absoluteURL($_SERVER['REQUEST_URI']));
}
// str_replace does all instances in a string, what if a URI has another url inside of it? ie. ?backURL=http://mysssite.com/Security/login
if( $destURL ) {
header("Location: $destURL", true, 301);
die('<h1>Your browser is not accepting header redirects</h1><p>Please <a href="'.$destURL.'">click here</a>');
}
}
Add this to your Page_Controller init() function:
public function init() {
parent::init();
$this->_checkSSL();
}
Now, to use this just add the following to any of your controllers to force SSL for the specific actions/forms you need to protect with SSL
public static $ssl_actions = array(
'checkout',
'CardCheckoutForm',
'TermsAndConditions'
);
It isn't as good as it can be, but it is certainly a good start.