> > But then, I think that when you mark a cookie as secure, it will only be > sent over HTTPS connections, right? So this would lead to the simplest: > > def ssl_required? > GitoriousConfig["use_ssl"] > end > > What am I missing? >
Couple of details. 1. The SSL requirement plugin has an interesting perception of logic. If ssl_required? returns true, it will make sure we're on https. However, if it returns false, believe it or not, it will enforce http. This is the reason for the request.ssl? check 2. We recently improved ssl logic on gitorious.org, something that led to more pages being served through ssl. We wanted to not force users who are not logged in over on ssl, simply because we were unsure of the performance consequences (we have already had entropy issues in the past due to intense openssl usage with ssh). But since you're asking so critically I have to admit I'm not entirely sure if the session check is entirely required. However, it did seem to be the thing that caused all the tests to fail? Maybe Marius has better memory than me here? Christian -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected]
