[Dspace-tech] http -> https redirection strangeness

Ingram, William A Wed, 09 Nov 2011 12:48:22 -0800

Hi all,

We have been experiencing strange things when a logged-in user tries to access 
a regular HTTP URL (i.e., not HTTPS). Because they are logged in, they are 
redirected to the secure URL, but I have found a couple cases in which that 
fails.


Case 1:
The URL contains query string parameters, which are lost when redirected.

See the following snippets from my apache logs. The first is from the http log, 
the second from the https log.

leikung.grainger.uiuc.edu - - [09/Nov/2011:12:09:00 -0600] "GET 
/browse?rpp=20&order=ASC&sort_by=-1&etal=-1&type=author&starts_with=B HTTP/1.1" 
200 18984 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, 
like Gecko) Chrome/15.0.874.106 Safari/535.2"

leikung.grainger.uiuc.edu - - [09/Nov/2011:12:25:57 -0600] "GET /browse 
HTTP/1.1" 500 57865 
"http://www.ideals.illinois.edu/browse?rpp=20&order=ASC&sort_by=-1&etal=-1&type=author&starts_with=B";
 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) 
Chrome/15.0.874.106 Safari/535.2" SSLv3 AES256-SHA

You see, the first loads ok (200), but the second, the https redirect, fails 
(500). Notice the call: "GET /browse HTTP/1.1"; the query string is gone.

Case 2:
The URL get "/main" appended to it when redirected.

Again, here are two snippets from the httpd logs. The first is http; the second 
is https.

leikung.grainger.uiuc.edu - - [09/Nov/2011:13:00:04 -0600] "GET 
/admin/authorize HTTP/1.1" 400 16368 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) 
AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2"
leikung.grainger.uiuc.edu - - [09/Nov/2011:13:00:04 -0600] "GET 
/admin/authorize HTTP/1.1" 200 244850 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) 
AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2"

leikung.grainger.uiuc.edu - - [09/Nov/2011:13:00:07 -0600] "GET 
/admin/authorize/main HTTP/1.1" 200 9467 
"http://www.ideals.illinois.edu/admin/authorize"; "Mozilla/5.0 (Windows NT 6.1; 
WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2" 
SSLv3 AES256-SHA

On the http log, there is a 400 immediately followed by a 200. On https log, 
it's a 200, but not really. The user is shown the DSpace Page not found screen. 
Notice the call: "GET /admin/authorize/main HTTP/1.1". Where did the "/main" 
come from?

I have tested this in 1.5.2 and 1.6.2, and both yield identical results.

Thanks,
Bill

--
Bill Ingram
Research Programmer
Scholarly Communication and Repository Services
University of Illinois at Urbana-Champaign

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech

[Dspace-tech] http -> https redirection strangeness

Reply via email to