Great- I've updated/simplified my other recommendations on SSL<https://groups.google.com/d/msg/web2py/me1e5d6Dudk/R5Bgt6axSPEJ>as well. After that we should be good to go
On Wednesday, October 3, 2012 1:31:52 PM UTC-4, Massimo Di Pierro wrote: > > In trunk! > > > On Wednesday, 3 October 2012 10:51:40 UTC-5, Yarin wrote: >> >> Niphlod- Thanks, you're correct- that's exactly what's happening. >> >> We should then update the *requires_https()* implementation: >> >> *gluon/globals.py:* >> def requires_https(self): >> """ >> If request comes in over HTTP, redirect it to HTTPS >> and secure the session. >> """ >> if not global_settings.cronjob and not self.is_https: >> session.forget() >> redirect(URL(scheme='https', args=self.args, vars=self.vars)) >> >> current.session.secure() >> >> >> On Monday, October 1, 2012 4:34:26 PM UTC-4, Niphlod wrote: >>> >>> groan, I posted something and it doesn't show up: apologies for double >>> posting if the previous one shows up in a few.... >>> >>> The "issue" is that you are not session.forget()ting the requests going >>> to the http realm: what you are doing is overriding the cookie before >>> redirecting. >>> >>> Both the browser and web2py behave consistently. Case without >>> session.forget(): >>> 1. https://something >>> - browser: none >>> - web2py: set-cookie abcd secure >>> 2. https://something >>> - browser: abcd >>> - web2py: set-cookie abcd secure >>> 3. http://something >>> - browser: none ("I must not send a secured cookie back to the >>> domain without https") >>> - web2py: location https://something, set-cookie defg ("User is new >>> around here, let's create a new session") >>> 4. https://something >>> - browser: defg ("I can send the cookie I received before because it >>> was not secured") >>> - web2py: set-cookie defg secure >>> >>> When you set session.forget() for the http realm, all goes well: >>> 1. https://something >>> - browser: none >>> - web2py: set-cookie abcd secure >>> 2. https://something >>> - browser: abcd >>> - web2py: set-cookie abcd secure >>> 3. http://something >>> - browser: none >>> - web2py: location https://something >>> 4. https://something >>> - browser: abcd ("No new cookies were issued, so I use the one set >>> before, it's a https request with a secured cookie, send abcd back") >>> - web2py: set-cookie abcd secure >>> >>> PS: the issue presents itself only if you do redirections within web2py >>> without session.forget()... a normal webserver issues only the *Location >>> * header and sets no cookies when set to redirect something, so it >>> behaves "more correctly" and exactly like web2py with session.forget() >>> enabled. >>> >>> --
