Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > http to https redirect

Reply
Thread Tools

http to https redirect

 
 
Reji Kumar
Guest
Posts: n/a
 
      02-10-2009
hi all,
Needed some help with http to https redirection. I have a
requirement wherein the login page alone should have https enabled. ie
the user name & password should be sent to server in encrypted form.
Once the validation is done, it has to come back to http again. I am
using apache, compiled with ssl enabled. Initially I tried to have the
initial request (first url the user types in) itself in https and then
redirect to http. But I have re-login requests from many places in the
application (password change, session expiry etc), where I have to do
the http to https redirection again to display the initial login page.
This was causing permission issues for some of the java scripts in those
locations. So to avoid that I put a dummy function (action), as the
first one. User types in http address only. This dummy action will then
redirect to https before rendering the login page. Once the validation
is done it is again changed back to http. The re-login actions also work
as they go back to this dummy action which is in http only. The sequence
is as follows

http://localhost:4000/login/prompt (as entered by user. prompt is
dummy)
https://localhost:4001/login/secureprompt (to https. renders login page)
http://localhost:4000/login/show_frame (inside the application)

The prompt action is as follows
def prompt
full_url = "https://localhost:4001/login/secureprompt"
redirect_to full_url
end

Eventhough the login page is in https, it is found that the user name &
password can be seen by capturing the packets using the tool "HTTP
Analyzer". Could somebody please explain why this is happening? Any help
is appreciated.
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Reji Kumar
Guest
Posts: n/a
 
      02-10-2009
I am based out of Bangalore, India. Please excuse if you find any delay
in my responses, as my day time can be different from yours .
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Reji Kumar
Guest
Posts: n/a
 
      02-10-2009
Or is it that we have to encrypt the user name & password in the
application itself, before sending to the server. Enabling https alone
won't suffice ?
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
Reji Kumar
Guest
Posts: n/a
 
      02-10-2009
I removed the back and forth redirection between http and https. Now it
is completely https. But still I am able to see the user name and
password as such (without any encryption) in the http analyzer as such.
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
Reji Kumar
Guest
Posts: n/a
 
      02-10-2009
Well, just came to know that http analyzer hooks into windows APIs and
gives the info. So it is actually showing data before the ssl APIs are
called, and hence not exactly what is being transferred over network.
Please comment on the correctness of this info as well.
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
redirect from https to http w/o security warning =?Utf-8?B?RGFiYmxlcg==?= ASP .Net 6 09-23-2009 10:06 AM
server side redirect https => https NOT working Axel ASP General 8 04-27-2009 02:02 AM
open-uri and HTTPS, or net/https with a redirect jotto Ruby 4 10-02-2006 07:26 AM
Login in HTTPS and redirect to HTTP using Forms Authentication Alfredo Barrientos ASP .Net 0 08-31-2005 09:31 PM
Jetty and http to https redirect Forrest Samuels Java 1 12-05-2004 12:17 AM



Advertisments