Rails - Jul 2013 - Devise auth based on ssl keys

Hi, guys.


I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based
on devise. Now I want to add to the my app a ssl key based auth. As
web-server it uses thin and nginx as proxy. I have made only ssl on the
nginx at 443 and only for some app pathes (e.g. /articles, /search etc).
How I can tell to the my app and devise use the ssl keys and assign them
to the app users (link users'' _session_id and the key together)?

-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/812375f668bd5ba3763a59b3fdc618a6%40ruby-forum.com.
For more options, visit https://groups.google.com/groups/opt_out.

lobster lobster wrote in post #1114299:
> I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based
> on devise. Now I want to add to the my app a ssl key based auth. As
> web-server it uses thin and nginx as proxy. I have made only ssl on the
> nginx at 443 and only for some app pathes (e.g. /articles, /search etc).
> How I can tell to the my app and devise use the ssl keys and assign them
> to the app users (link users'' _session_id and the key together)?
Sorry, but I don''t completely understand your question. Your Rails app 
should have nothing to do with SSL/TLS keys in any way. Your Rails app 
should ensure that all URLs that need to be secure use the https 
protocol and nothing more. Any SSL/TLS key exchange should be handled by 
the web server. That should all happen before your Rails app receives 
any request.

You also mention that only some paths use SSL/TLS. I would highly 
recommend against do that. If you need SSL/TLS anywhere in your site, 
then use SSL/TLS everywhere in your site. Force SSL/TLS on the first 
request and have all subsequent requests use that SSL/TLS connection.

It has been shown that any transition from HTTP to HTTPS is vulnerable 
to attack. Notice that many popular sites are now SSL/TLS everywhere 
(e.g. Github, Facebook, Google Mail, Banking, etc.). There is very 
little cost in using SSL/TLS all the time, and the benefits of doing so 
far outweigh the costs. This also eliminates the possibility of mistakes 
in your Rails app that may redirect from a TLS page to an non-TLS page 
since all URLs will be secure.

-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/11cca9195c105a2d50510ed7d4070ba8%40ruby-forum.com.
For more options, visit https://groups.google.com/groups/opt_out.