Em 26-05-2011 15:16, Christian Johansen escreveu:
But then, I think that when you mark a cookie as secure, it will
only be sent over HTTPS connections, right? So this would lead to
the simplest:
def ssl_required?
GitoriousConfig["use_ssl"]
end
What am I missing?
Couple of details.
1. The SSL requirement plugin has an interesting perception of
logic. If ssl_required? returns true, it will make sure we're on
https. However, if it returns false, believe it or not, it will
enforce http. This is the reason for the request.ssl? check
Yes, below is the code in revo-ssl_requirement. An example of how to not
write an API! That was a really bad name! And, maybe worse than that, is
that this unexpected behavior is not stated in the docs (README).
def ensure_proper_protocol
return true if SslRequirement.disable_ssl_check?
return true if ssl_allowed?
if ssl_required? && !request.ssl?
redirect_to determine_redirect_url(request, true)
flash.keep
return false
elsif request.ssl? && !ssl_required? # WHY TO DO THAT, FOR GOD
SAKE??? THIS IS NOT EXPECTED FROM A METHOD NAMED ssl_required?
redirect_to determine_redirect_url(request, false)
flash.keep
return false
end
end
But the good news is that we are able to define in ApplicationController
something like:
def ssl_allowed?
request.ssl? # or just true, maybe
end
It is currently implemented as:
def ssl_allowed?
(self.class.read_inheritable_attribute(:ssl_allowed_actions) ||
[]).include?(action_name.to_sym)
end
That is because we're able to write "ssl_allowed :index" for instance.
1. We recently improved ssl logic on gitorious.org
<http://gitorious.org>, something that led to more pages being
served through ssl. We wanted to not force users who are not
logged in over on ssl, simply because we were unsure of the
performance consequences (we have already had entropy issues in
the past due to intense openssl usage with ssh).
How did you solve the entropy issue in gitorious.org? Are you using
/dev/urandom instead of /dev/random? Just curious... My feeling is that
Gitorious is too slow. While Redmine, which is a complex system, has
good performance, I don't feel the same about Gitorious. Performance is
something that I would like to improve on Gitorious. But I need to
identify first what are the bottlenecks. Github is very fast and I'm not
sure if this is just a matter of bandwidth, or caching or database
architecture... While this could make sense for gitorious.org, it
doesn't for our intranet Gitorious...
But since you're asking so critically I have to admit I'm not entirely
sure if the session check is entirely required. However, it did seem
to be the thing that caused all the tests to fail? Maybe Marius has
better memory than me here?
Great, thanks!
Best regards,
Rodrigo.
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
