Massimo- quick fix: *session.forget()* must be *current.session.forget()*, otherwise throws error
On Thursday, October 4, 2012 8:11:23 AM UTC-4, Yarin wrote: > > Great- I've updated/simplified my other recommendations on > SSL<https://groups.google.com/d/msg/web2py/me1e5d6Dudk/R5Bgt6axSPEJ>as well. > After that we should be good to go > > On Wednesday, October 3, 2012 1:31:52 PM UTC-4, Massimo Di Pierro wrote: >> >> In trunk! >> >> >> On Wednesday, 3 October 2012 10:51:40 UTC-5, Yarin wrote: >>> >>> Niphlod- Thanks, you're correct- that's exactly what's happening. >>> >>> We should then update the *requires_https()* implementation: >>> >>> *gluon/globals.py:* >>> def requires_https(self): >>> """ >>> If request comes in over HTTP, redirect it to HTTPS >>> and secure the session. >>> """ >>> if not global_settings.cronjob and not self.is_https: >>> session.forget() >>> redirect(URL(scheme='https', args=self.args, vars=self.vars)) >>> >>> current.session.secure() >>> >>> >>> On Monday, October 1, 2012 4:34:26 PM UTC-4, Niphlod wrote: >>>> >>>> groan, I posted something and it doesn't show up: apologies for double >>>> posting if the previous one shows up in a few.... >>>> >>>> The "issue" is that you are not session.forget()ting the requests going >>>> to the http realm: what you are doing is overriding the cookie before >>>> redirecting. >>>> >>>> Both the browser and web2py behave consistently. Case without >>>> session.forget(): >>>> 1. https://something >>>> - browser: none >>>> - web2py: set-cookie abcd secure >>>> 2. https://something >>>> - browser: abcd >>>> - web2py: set-cookie abcd secure >>>> 3. http://something >>>> - browser: none ("I must not send a secured cookie back to the >>>> domain without https") >>>> - web2py: location https://something, set-cookie defg ("User is >>>> new around here, let's create a new session") >>>> 4. https://something >>>> - browser: defg ("I can send the cookie I received before because >>>> it was not secured") >>>> - web2py: set-cookie defg secure >>>> >>>> When you set session.forget() for the http realm, all goes well: >>>> 1. https://something >>>> - browser: none >>>> - web2py: set-cookie abcd secure >>>> 2. https://something >>>> - browser: abcd >>>> - web2py: set-cookie abcd secure >>>> 3. http://something >>>> - browser: none >>>> - web2py: location https://something >>>> 4. https://something >>>> - browser: abcd ("No new cookies were issued, so I use the one set >>>> before, it's a https request with a secured cookie, send abcd back") >>>> - web2py: set-cookie abcd secure >>>> >>>> PS: the issue presents itself only if you do redirections within web2py >>>> without session.forget()... a normal webserver issues only the * >>>> Location* header and sets no cookies when set to redirect something, >>>> so it behaves "more correctly" and exactly like web2py with >>>> session.forget() enabled. >>>> >>>> --
