hi all,
Needed some help with http to https redirection. I have a
requirement wherein the login page alone should have https enabled. ie
the user name & password should be sent to server in encrypted form.
Once the validation is done, it has to come back to http again. I am
using apache, compiled with ssl enabled. Initially I tried to have the
initial request (first url the user types in) itself in https and then
redirect to http. But I have re-login requests from many places in the
application (password change, session expiry etc), where I have to do
the http to https redirection again to display the initial login page.
This was causing permission issues for some of the java scripts in those
locations. So to avoid that I put a dummy function (action), as the
first one. User types in http address only. This dummy action will then
redirect to https before rendering the login page. Once the validation
is done it is again changed back to http. The re-login actions also work
as they go back to this dummy action which is in http only. The sequence
is as follows
http://localhost:4000/login/prompt (as entered by user. prompt is
dummy)
https://localhost:4001/login/secureprompt (to https. renders login page)
http://localhost:4000/login/show_frame (inside the application)
The prompt action is as follows
def prompt
full_url = “https://localhost:4001/login/secureprompt”
redirect_to full_url
end
Eventhough the login page is in https, it is found that the user name &
password can be seen by capturing the packets using the tool “HTTP
Analyzer”. Could somebody please explain why this is happening? Any help
is appreciated.