Rails - Mar 2007 - Wierd 'Being redirected to non-secure' warnings but entire site is SSL

Greetings all,

Apologies in advance for the cross-post.

I just got a report that I really need some help understanding.

My site ( www.yourtimematters.com ) is set up so that 
1) any attempted access to yourtimematters.com gets redirected to
www.yourtimematters.com
2) all access to www.yourtimematters.com takes place using https://

The visitor I was walking through the app with (over the phone) was getting
warnings as she advanced from page to page that she was "being redirected
to a non-secure page."  If she clicked OK, she was taken to https://
the_next_page.  This happened on every page within the app.

What could be causing this?  The entire site is secured.  All of the pages
advance via a button that''s a form_tag{:controller =>
''some_controller'', :action =>
''some_action''} with nothing in the form but the submit_tag. 
All the pages are being served from the app by mongrel through Apache to the
browser.

This is the only visitor that''s seen this behavior, but I assume that
if she saw it, others will too.  She was accessing the site from her office at
Adobe, so I assume there''s some pretty heavy firewall stuff going on. 
Could something on her end be causing this?

Any ideas?

Thanks in advance,
Bill
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Looks like your "mainnav" links are hard-coded to http, not https.
Are you using link_to everywhere?

  -- Wes

On Mar 9, 1:25 pm, "Bill Walton"
<bill.wal...-xwVYE8SWAR3R7s880joybQ@public.gmane.org>
wrote:
> Greetings all,
>
> Apologies in advance for the cross-post.
>
> I just got a report that I really need some help understanding.
>
> My site (www.yourtimematters.com) is set up so that
> 1) any attempted access to yourtimematters.com gets redirected
towww.yourtimematters.com
> 2) all access towww.yourtimematters.comtakes place using https://
>
> The visitor I was walking through the app with (over the phone) was getting
warnings as she advanced from page to page that she was "being redirected
to a non-secure page."  If she clicked OK, she was taken to https://
the_next_page.  This happened on every page within the app.
>
> What could be causing this?  The entire site is secured.  All of the pages
advance via a button that''s a form_tag{:controller =>
''some_controller'', :action =>
''some_action''} with nothing in the form but the submit_tag. 
All the pages are being served from the app by mongrel through Apache to the
browser.
>
> This is the only visitor that''s seen this behavior, but I assume
that if she saw it, others will too.  She was accessing the site from her office
at Adobe, so I assume there''s some pretty heavy firewall stuff going
on.  Could something on her end be causing this?
>
> Any ideas?
>
> Thanks in advance,
> Bill

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Wes,

wesgarrison wrote:
> Looks like your "mainnav" links are hard-coded to http,
> not https.
That was a good catch.  I''d forgotten to change that.  Unfortunately,
that
wasn''t it.
> Are you using link_to everywhere?
No.  The problem looks to be caused when I''m doing a redirect_to from
one
controller method to another.  That generates a 302 header which IE 6 is 
having a problem with.

Do you (or anyone reading this) know if the 302 header says anything about 
where the move is headed?  Like maybe there''s a default setting that
says
"going to http://"+new_location that I could override and get to say
"going
to https://"+new_location ?  Do routes maybe figure in this somehow?  Any 
ideas are very, very welcome.

Thanks,
Bill 



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mar 9, 3:52 pm, "Bill Walton"
<bill.wal...-xwVYE8SWAR3R7s880joybQ@public.gmane.org>
wrote:
> Hi Wes,
>
> wesgarrison wrote:
> > Looks like your "mainnav" links are hard-coded to http,
> > not https.
>
> That was a good catch.  I''d forgotten to change that. 
Unfortunately, that
> wasn''t it.
>
> > Are you using link_to everywhere?
>
> No.  The problem looks to be caused when I''m doing a redirect_to
from one
> controller method to another.  That generates a 302 header which IE 6 is
> having a problem with.
>
> Do you (or anyone reading this) know if the 302 header says anything about
> where the move is headed?  Like maybe there''s a default setting
that says
> "going to http://"+new_location that I could override and get to
say "going
> to https://"+new_location ?  Do routes maybe figure in this somehow? 
Any
> ideas are very, very welcome.
>
> Thanks,
> Bill

I''ve used this before to force everything to https:

In application.rb:

# Force https usage for all links and redirects
# Only do this in production-ish modes, though, because localhost
# probably doesn''t have SSL enabled
  if %w(production staging demo
etc).include?(ENV[''RAILS_ENV''])
    def default_url_options(options)
      { :protocol => ''https://'' }
    end
  end

As for the redirects, your log should have a line like this:
Redirected to http://127.0.0.1:3000/
Completed in 0.09400 (10 reqs/sec) | DB: 0.09400 (100%) | 302 Found
[http://127.0.0.7/etc/show]

That''d show you if you''re being redirected to https or not. 
I''d try
the first thing to see if it worked, though.  If anyone else has a
reason not to do that, I''d like to hear it, too. It''s worked
okay for
me for several months, though.

   -- Wes


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Way cool.  Looks like what I''d expected to find.  Thank you. 
I''ll give it a
shot and let you know what happens.

Thanks much,
Bill 



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---