http to https redirect

Discussion in 'Ruby' started by Reji Kumar, Feb 10, 2009.

  1. Reji Kumar

    Reji Kumar Guest

    hi all,
    Needed some help with http to https redirection. I have a
    requirement wherein the login page alone should have https enabled. ie
    the user name & password should be sent to server in encrypted form.
    Once the validation is done, it has to come back to http again. I am
    using apache, compiled with ssl enabled. Initially I tried to have the
    initial request (first url the user types in) itself in https and then
    redirect to http. But I have re-login requests from many places in the
    application (password change, session expiry etc), where I have to do
    the http to https redirection again to display the initial login page.
    This was causing permission issues for some of the java scripts in those
    locations. So to avoid that I put a dummy function (action), as the
    first one. User types in http address only. This dummy action will then
    redirect to https before rendering the login page. Once the validation
    is done it is again changed back to http. The re-login actions also work
    as they go back to this dummy action which is in http only. The sequence
    is as follows

    http://localhost:4000/login/prompt (as entered by user. prompt is
    https://localhost:4001/login/secureprompt (to https. renders login page)
    http://localhost:4000/login/show_frame (inside the application)

    The prompt action is as follows
    def prompt
    full_url = "https://localhost:4001/login/secureprompt"
    redirect_to full_url

    Eventhough the login page is in https, it is found that the user name &
    password can be seen by capturing the packets using the tool "HTTP
    Analyzer". Could somebody please explain why this is happening? Any help
    is appreciated.
    Posted via
    Reji Kumar, Feb 10, 2009
    1. Advertisements

  2. Reji Kumar

    Reji Kumar Guest

    I am based out of Bangalore, India. Please excuse if you find any delay
    in my responses, as my day time can be different from yours :).
    Posted via
    Reji Kumar, Feb 10, 2009
    1. Advertisements

  3. Reji Kumar

    Reji Kumar Guest

    Or is it that we have to encrypt the user name & password in the
    application itself, before sending to the server. Enabling https alone
    won't suffice ?
    Posted via
    Reji Kumar, Feb 10, 2009
  4. Reji Kumar

    Reji Kumar Guest

    I removed the back and forth redirection between http and https. Now it
    is completely https. But still I am able to see the user name and
    password as such (without any encryption) in the http analyzer as such.
    Posted via
    Reji Kumar, Feb 10, 2009
  5. Reji Kumar

    Reji Kumar Guest

    Well, just came to know that http analyzer hooks into windows APIs and
    gives the info. So it is actually showing data before the ssl APIs are
    called, and hence not exactly what is being transferred over network.
    Please comment on the correctness of this info as well.
    Posted via
    Reji Kumar, Feb 10, 2009
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alfredo Barrientos
    Alfredo Barrientos
    Aug 31, 2005
  2. Forrest Samuels

    Jetty and http to https redirect

    Forrest Samuels, Dec 4, 2004, in forum: Java
    Steve Sobol
    Dec 5, 2004
  3. =?Utf-8?B?RGFiYmxlcg==?=

    redirect from https to http w/o security warning

    =?Utf-8?B?RGFiYmxlcg==?=, Apr 27, 2006, in forum: ASP .Net
    Sep 23, 2009
  4. Axel
    Adrienne Boswell
    Apr 27, 2009
  5. jotto
    Oct 2, 2006

Share This Page