Forum: Ruby http to https redirect

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Reji K. (Guest)
on 2009-02-10 13:34
hi all,
    Needed some help with http to https redirection. I have a
requirement wherein the login page alone should have https enabled. ie
the user name & password should be sent to server in encrypted form.
Once the validation is done, it has to come back to http again. I am
using apache, compiled with ssl enabled. Initially I tried to have the
initial request (first url the user types in) itself in https and then
redirect to http. But I have re-login requests from many places in the
application (password change, session expiry etc), where I have to do
the http to https redirection again to display the initial login page.
This was causing permission issues for some of the java scripts in those
locations. So  to avoid that I put a dummy function (action), as the
first one. User types in http address only. This dummy action will then
redirect to https before rendering the login page. Once the validation
is done it is again changed back to http. The re-login actions also work
as they go back to this dummy action which is in http only. The sequence
is as follows

http://localhost:4000/login/prompt        (as entered by user. prompt is
dummy)
https://localhost:4001/login/secureprompt (to https. renders login page)
http://localhost:4000/login/show_frame    (inside the application)

The prompt action is as follows
  def prompt
    full_url = "https://localhost:4001/login/secureprompt"
    redirect_to full_url
  end

Eventhough the login page is in https, it is found that the user name &
password can be seen by capturing the packets using the tool "HTTP
Analyzer". Could somebody please explain why this is happening? Any help
is appreciated.
Reji K. (Guest)
on 2009-02-10 13:38
I am based out of Bangalore, India. Please excuse if you find any delay
in my responses, as my day time can be different from yours :).
Reji K. (Guest)
on 2009-02-10 13:48
Or is it that we have to encrypt the user name & password in the
application itself, before sending to the server. Enabling https alone
won't suffice ?
Reji K. (Guest)
on 2009-02-10 13:57
I removed the back and forth redirection between http and https. Now it
is completely https. But still I am able to see the user name and
password as such (without any encryption) in the http analyzer as such.
Reji K. (Guest)
on 2009-02-10 14:53
Well, just came to know that http analyzer hooks into windows APIs and
gives the info. So it is actually showing data before the ssl APIs are
called, and hence not exactly what is being transferred over network.
Please comment on the correctness of this info as well.
This topic is locked and can not be replied to.