Ssl_requirement redirecting to http from an https screen


#1

I installed the ssl_requirement plugin & got it working w/my server
(lighty scgi) without too much difficulty.

I have some pages that require ssl (login for example) and some pages
that do not. My problem is that once the site’s been redirected to an
ssl_required action, I don’t seem to be able to redirect back to a
non-ssl required page.

From some of the searching I’ve done on Google, it seems that the
expectation is that once you’ve switched over to an ssl page, you’re not
supposed to go back. I think this is a major hassle as it means that I
have to mark every action in my controllers w/the ssl_allowed parameter
and I have a lot of them.

Is there someone out there who knows how to make this work?

Thx
Noah


#2

On Mar 29, 2007, at 7:24 PM, Noah wrote:

you’re not
supposed to go back. I think this is a major hassle as it means
that I
have to mark every action in my controllers w/the ssl_allowed
parameter
and I have a lot of them.

Is there someone out there who knows how to make this work?

If you meant that you want some actions to only be accessed over
http, you might want to do something like the following:

class MyController < ApplicationController
before_filter :redirect_to_http, :except => :my_ssl_action

def redirect_to_http
redirect_to :protocol => “http://” and return false if
@request.ssl?
end

end

James.


James S.
Play: http://james.anthropiccollective.org
Work: http://jystewart.net/process/


#3

Thanks for the reply James, but the ssl_requirement already contains
this.

def ensure_proper_protocol
return true if ssl_allowed?
if ssl_required? && !request.ssl?
redirect_to “https://” + request.host + request.request_uri
return false
elsif request.ssl? && !ssl_required?
redirect_to “http://” + request.host + request.request_uri
return false
end
end

I put some debug statments in the code and got this in my log:
ssl_required? && !ssl_required? evaluated to true => /login/signin
Redirected to http://localhost/login/signin

So Rails seems to be intercepting it properly, the problem is that in my
browser, the url is this: https://localhost/login/signin

Somehow, (in Lighty maybe?) it never gets changed.

But thanks for the suggestion.

Noah

James S. wrote:

On Mar 29, 2007, at 7:24 PM, Noah wrote:

you’re not
supposed to go back. I think this is a major hassle as it means
that I
have to mark every action in my controllers w/the ssl_allowed
parameter
and I have a lot of them.

Is there someone out there who knows how to make this work?

If you meant that you want some actions to only be accessed over
http, you might want to do something like the following:

class MyController < ApplicationController
before_filter :redirect_to_http, :except => :my_ssl_action

def redirect_to_http
redirect_to :protocol => “http://” and return false if
@request.ssl?
end

end

James.


James S.
Play: http://james.anthropiccollective.org
Work: http://jystewart.net/process/