Wierd 'Being redirected to non-secure' warnings but entire s

wpwood · March 9, 2007, 8:26pm

Greetings all,

Apologies in advance for the cross-post.

I just got a report that I really need some help understanding.

My site ( www.yourtimematters.com ) is set up so that

any attempted access to yourtimematters.com gets redirected to
www.yourtimematters.com
all access to www.yourtimematters.com takes place using https://

The visitor I was walking through the app with (over the phone) was
getting warnings as she advanced from page to page that she was “being
redirected to a non-secure page.” If she clicked OK, she was taken to
https:// the_next_page. This happened on every page within the app.

What could be causing this? The entire site is secured. All of the
pages advance via a button that’s a form_tag{:controller =>
‘some_controller’, :action => ‘some_action’} with nothing in the form
but the submit_tag. All the pages are being served from the app by
mongrel through Apache to the browser.

This is the only visitor that’s seen this behavior, but I assume that if
she saw it, others will too. She was accessing the site from her office
at Adobe, so I assume there’s some pretty heavy firewall stuff going on.
Could something on her end be causing this?

Any ideas?

Thanks in advance,
Bill

wpwood · March 9, 2007, 8:35pm

Looks like your “mainnav” links are hard-coded to http, not https.
Are you using link_to everywhere?

– Wes

wpwood · March 9, 2007, 10:52pm

Hi Wes,

wesgarrison wrote:

Looks like your “mainnav” links are hard-coded to http,
not https.

That was a good catch. I’d forgotten to change that. Unfortunately,
that
wasn’t it.

Are you using link_to everywhere?

No. The problem looks to be caused when I’m doing a redirect_to from
one
controller method to another. That generates a 302 header which IE 6 is
having a problem with.

Do you (or anyone reading this) know if the 302 header says anything
about
where the move is headed? Like maybe there’s a default setting that
says
“going to http://”+new_location that I could override and get to say
“going
to https://”+new_location ? Do routes maybe figure in this somehow?
Any
ideas are very, very welcome.

Thanks,
Bill

wpwood · March 10, 2007, 12:49am

On Mar 9, 3:52 pm, “Bill W.” [email protected] wrote:

Thanks,
Bill

I’ve used this before to force everything to https:

In application.rb:

Force https usage for all links and redirects

Only do this in production-ish modes, though, because localhost

probably doesn’t have SSL enabled

if %w(production staging demo etc).include?(ENV[‘RAILS_ENV’])
def default_url_options(options)
{ :protocol => ‘https://’ }
end
end

As for the redirects, your log should have a line like this:
Redirected to http://127.0.0.1:3000/
Completed in 0.09400 (10 reqs/sec) | DB: 0.09400 (100%) | 302 Found
[http://127.0.0.7/etc/show]

That’d show you if you’re being redirected to https or not. I’d try
the first thing to see if it worked, though. If anyone else has a
reason not to do that, I’d like to hear it, too. It’s worked okay for
me for several months, though.

– Wes

wpwood · March 10, 2007, 1:54am

Way cool. Looks like what I’d expected to find. Thank you. I’ll give
it a
shot and let you know what happens.

Thanks much,
Bill