hi all, Needed some help with http to https redirection. I have a requirement wherein the login page alone should have https enabled. ie the user name & password should be sent to server in encrypted form. Once the validation is done, it has to come back to http again. I am using apache, compiled with ssl enabled. Initially I tried to have the initial request (first url the user types in) itself in https and then redirect to http. But I have re-login requests from many places in the application (password change, session expiry etc), where I have to do the http to https redirection again to display the initial login page. This was causing permission issues for some of the java scripts in those locations. So to avoid that I put a dummy function (action), as the first one. User types in http address only. This dummy action will then redirect to https before rendering the login page. Once the validation is done it is again changed back to http. The re-login actions also work as they go back to this dummy action which is in http only. The sequence is as follows http://localhost:4000/login/prompt (as entered by user. prompt is dummy) https://localhost:4001/login/secureprompt (to https. renders login page) http://localhost:4000/login/show_frame (inside the application) The prompt action is as follows def prompt full_url = "https://localhost:4001/login/secureprompt" redirect_to full_url end Eventhough the login page is in https, it is found that the user name & password can be seen by capturing the packets using the tool "HTTP Analyzer". Could somebody please explain why this is happening? Any help is appreciated.
on 2009-02-10 12:34
on 2009-02-10 12:38
I am based out of Bangalore, India. Please excuse if you find any delay in my responses, as my day time can be different from yours :).
on 2009-02-10 12:48
Or is it that we have to encrypt the user name & password in the application itself, before sending to the server. Enabling https alone won't suffice ?
on 2009-02-10 12:57
I removed the back and forth redirection between http and https. Now it is completely https. But still I am able to see the user name and password as such (without any encryption) in the http analyzer as such.
on 2009-02-10 13:53
Well, just came to know that http analyzer hooks into windows APIs and gives the info. So it is actually showing data before the ssl APIs are called, and hence not exactly what is being transferred over network. Please comment on the correctness of this info as well.