Taming mobile and secure pages

Setting up HTTPS configuration is easy ...

To build additional security on special pages on a website (e.g. a user form), the module Secure Pages has proved its worth. With it, you simply configure a domain within Drupal to be used for the secure connection, (provided that the server is configured correctly). With additional settings, you can specify several pages to be secured.

... and a mobile domain too, ...

To provide your page with a special theme for mobile devices, the module Mobile Tools is a good solution. You simply enter your mobile domain in the configuration and mobile devices are redirected to that page, with the theme switched to the selected one.

... but they don't want to work together!

But now, if you want to benefit from both modules, it comes to a small desaster, because we also have to care about mobile secure pages. Especially if a module like GlobalRedirect is activated, trouble occurs.

In such a situation, it will hapen that - on a mobile device - you get redirected from the desktop url to the mobile domain. But there securepages recognizes that the given page shall be delivered via https. So it redirects you to the configured https domain, which is a desktop url. But there mobile_tools wants us to go to the mobile domain. With all these redirects we end up with an error message like: Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.. The settings caused a circular reference on the redirects.

In an example, we have the domain http://www.example.com and its secure page https://www.example.com, the domain configured in securepages. In the moment we set up the mobile site http://m.example.com, in most cases we also need the mobile https equivalent https://m.example.com. But neither Mobile Tools nor SecurePages offer us these settings - at least not in the configration forms.

We need a tamer!

This tamer we find  inside settings.php. Because as long as the configuration variables aren't stored in the database (more precisely: in the table {variable}), we simply can set them up within settings.php.

To avoid storing these values in the database I wrote a little sandbox and published it on http://drupal.org/sandbox/derhasi/1399172 (currently only for Drupal 6). It will delete the special variables from the database, after the Mobile Tools or SecurePages configuration form was sent.

But now let's take a look at the snippet for settings.php, with which we avoid the circular reference:

// Let mobile tools work with secure pages.
// We have to set the base_url too, so e.g. globalredirect
// will not force a wrong redirect.
$desktop_url = 'www.example.com';
$mobile_url = 'm.example.com';
$secure = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on');
// On mobile requests, mobile path provide the secure settings.
if ($_SERVER['HTTP_HOST'] == $mobile_url) {
  $conf['securepages_basepath'] = "http://$mobile_url";
  $conf['securepages_basepath_ssl'] = "https://$mobile_url";
  $base_url = ($secure) ? "https://$mobile_url" : "http://$mobile_url";
else {
  $conf['securepages_basepath'] = "http://$desktop_url";
  $conf['securepages_basepath_ssl'] = "https://$desktop_url";
  $base_url = ($secure) ? "https://$desktop_url" : "http://$desktop_url";
// On secure pages, mobile and desktop urls are https urls.
if ($secure) {
  $conf['mobile_tools_mobile_url'] = "https://$mobile_url";
  $conf['mobile_tools_desktop_url'] = "https://$desktop_url";
else {
  $conf['mobile_tools_mobile_url'] = "http://$mobile_url";
  $conf['mobile_tools_desktop_url'] = "http://$desktop_url";

With this configuration, SecurePages and Mobile Tools now react on the given circumstances (https or mobile) on each request, and set the correct base and configuration domains.

The snippet is available in default.settings.inc of the repository.

Extra hint

In addition to the MobileTools and SecurePages configuration, you also need to keep an eye on your custom redirects and rewrites. For example, if you let .htaccess redirect www.example.com to example.com, this will lead to a circular reference of redirects too (with the above settings).