Forum: Ruby on Rails Wierd 'Being redirected to non-secure' warnings but entire s

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Bill W. (Guest)
on 2007-03-09 21:27
(Received via mailing list)
Greetings all,

Apologies in advance for the cross-post.

I just got a report that I really need some help understanding.

My site ( www.yourtimematters.com ) is set up so that
1) any attempted access to yourtimematters.com gets redirected to
www.yourtimematters.com
2) all access to www.yourtimematters.com takes place using https://

The visitor I was walking through the app with (over the phone) was
getting warnings as she advanced from page to page that she was "being
redirected to a non-secure page."  If she clicked OK, she was taken to
https:// the_next_page.  This happened on every page within the app.

What could be causing this?  The entire site is secured.  All of the
pages advance via a button that's a form_tag{:controller =>
'some_controller', :action => 'some_action'} with nothing in the form
but the submit_tag.  All the pages are being served from the app by
mongrel through Apache to the browser.

This is the only visitor that's seen this behavior, but I assume that if
she saw it, others will too.  She was accessing the site from her office
at Adobe, so I assume there's some pretty heavy firewall stuff going on.
Could something on her end be causing this?

Any ideas?

Thanks in advance,
Bill
wesgarrison (Guest)
on 2007-03-09 21:35
(Received via mailing list)
Looks like your "mainnav" links are hard-coded to http, not https.
Are you using link_to everywhere?

  -- Wes
Bill W. (Guest)
on 2007-03-09 23:52
(Received via mailing list)
Hi Wes,

wesgarrison wrote:

> Looks like your "mainnav" links are hard-coded to http,
> not https.

That was a good catch.  I'd forgotten to change that.  Unfortunately,
that
wasn't it.

> Are you using link_to everywhere?

No.  The problem looks to be caused when I'm doing a redirect_to from
one
controller method to another.  That generates a 302 header which IE 6 is
having a problem with.

Do you (or anyone reading this) know if the 302 header says anything
about
where the move is headed?  Like maybe there's a default setting that
says
"going to http://"+new_location that I could override and get to say
"going
to https://"+new_location ?  Do routes maybe figure in this somehow?
Any
ideas are very, very welcome.

Thanks,
Bill
wesgarrison (Guest)
on 2007-03-10 01:49
(Received via mailing list)
On Mar 9, 3:52 pm, "Bill W." <removed_email_address@domain.invalid> wrote:
>
> Thanks,
> Bill


I've used this before to force everything to https:

In application.rb:

# Force https usage for all links and redirects
# Only do this in production-ish modes, though, because localhost
# probably doesn't have SSL enabled
  if %w(production staging demo etc).include?(ENV['RAILS_ENV'])
    def default_url_options(options)
      { :protocol => 'https://' }
    end
  end

As for the redirects, your log should have a line like this:
Redirected to http://127.0.0.1:3000/
Completed in 0.09400 (10 reqs/sec) | DB: 0.09400 (100%) | 302 Found
[http://127.0.0.7/etc/show]

That'd show you if you're being redirected to https or not.  I'd try
the first thing to see if it worked, though.  If anyone else has a
reason not to do that, I'd like to hear it, too. It's worked okay for
me for several months, though.

   -- Wes
Bill W. (Guest)
on 2007-03-10 02:54
(Received via mailing list)
Way cool.  Looks like what I'd expected to find.  Thank you.  I'll give
it a
shot and let you know what happens.

Thanks much,
Bill
This topic is locked and can not be replied to.