[horde] full url

Eric Rostetter eric.rostetter at physics.utexas.edu
Mon Mar 17 22:15:31 PST 2003 

Quoting Chris Petersen <lists at forevermore.net>:

> > The only way to "force" it is via your web server configuration.
> 
> guess I just don't know how to force it to forward all non-ssl
> connections to ssl.

If using apache, see the IMP list archives.  Comes up from time to time.  
If using something else, then you'd need to say what it is in order to
get any help.

> > That doesn't force ssl.  It simply means that full urls will be written
> > as https: urls.
> 
> what's the point of this if nothing is ever written as a full URL?

It does write some full urls.

> Sounds like a waste of code if it's never used.

It is used.

> > Maybe.  But the only way to actually inforce this is at the web server
> > level.  You can't enforce it in the code.
> 
> what do you mean "can't"?  I do this all the time in my code:

Because the user can get around it (edit the url in the browser, use a
browser/cache that rewrites it, enter the url directly without the "s",
download and edit your html and then execute the modified version, etc)

> if not ssl then redirect to ssl url...
> 
> piece of cake.

Yes, and I recommend you use that same logic, but in the web server. 
Then the user can't get around it.

> > Note that it says right there it only applies to full URLs.
> > How we generate full urls.  Never says anything about relative urls.
> 
> one would think that this should be rewritten so that if use_ssl is
> enabled, and the user is viewing a non-ssl page, the program should
> detect that and create a full URL that links to the ssl page.  An extra
> "if" or two isn't going to slow down execution that much, and would make
> use_ssl a heck of a lot more meaningful.

I don't think use_ssl was intended to "force" ssl mode, so much as to
not break things when ssl was in use.  It is more to make sure the
protocol string and port number get set correctly when needed than
to enforce any policy.

I'm not saying it can't or shouldn't be changed, I'm just saying that I
don't think it was intended to do what you want.  And doing what you want
will give people a false sense of security, as the ssl would be easy to
get around.

> -Chris

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!

More information about the horde mailing list