Project

General

Profile

usage of HTTPS for the web interface vanishes

Added by Alexander Stohr almost 11 years ago

when selecting a redmine server based web account using the https:// prefix
then this prefix stays intact until e.g. the first successful provision of user credentials.
after that the prefix gets stripped and the session restarts in pure http:// mode.

then adding the missing "s" to the URL in the browser does allow to go on in protected transmission mode.

when doing the logout the session will again be dropped from https to a http only URL.

i am assuming there are some hard-coded URLs in the login-logout pages and the associated code does not take care of the previous mode.

its also a bit of critical having the browser beeing in state of accessing the pages without transmission encryption
despite the session was first opened encrypted thus enabling people with some access to e.g. session cookies hijacking & using that session. (just a theory...)
Lets hope that can be fixed.

it finally raises a question in my mind: can a server be tuned to only offer https starting with the login page?
thus that might further mean the server should do a forceful redirect to https mode when querying the login page with only using http.


Replies (1)

RE: usage of HTTPS for the web interface vanishes - Added by Mario Klima over 10 years ago

your webserver can do this, here is an example for apache (+mod_rewrite)

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [R=301,L]

cheers

    (1-1/1)