Ticket #25 (Fixed)Thu Jul 27 08:13:54 UTC 2006
Too many apps redirect to HTTP from HTTPS
Reported by: | Andrew | Severity: | Major |
Part: | Web site: General (miscellaneous issues) | Release: | |
Milestone: | Status | Fixed |
Details by Andrew:
Several of the Rails apps include redirection that likes going to HTTP rather than HTTPS. Investigate this. If using single sign-on, the signing mechanism should at the very least be good enough to run under HTTPS. The cookie used thereafter includes its own information encryption so could possibly be visible in the clear (but is it as good as SSL communication?).
Changelog:
Modified by Andrew Thu, July 27 2006 - 08:14:05 GMT
- Severity changed from Normal to Major
Modified by Andrew Thu, July 27 2006 - 08:14:41 GMT
- Part changed from Unspecified to Many (affects multiple applications)
Modified by Andrew Hodgkinson Tue, October 17 2006 - 12:13:11 GMT
Worst offender was Instiki, closely followed by hard-coded URLs in Radiant content. The Wiki’s now running on I2 and doesn’t cause problems anymore; Radiant content has been updated. Still testing, but it looks like everything’s protocol neutral now.
Modified by Andrew Hodgkinson Tue, October 17 2006 - 12:18:23 GMT
- Status changed from Open to Fixed
Well, just spent a while hitting the remaining untested site sections and everything stays on HTTPS. Looks like this is all sorted now.