#565: Always using HTTPS for logged-in users
--------------------------+----------------------------------
Reporter: skaplun | Owner:
Type: enhancement | Status: in_merge
Priority: major | Milestone: v1.0
Component: WebSession | Version:
Resolution: | Keywords: HTTPS session cookie
--------------------------+----------------------------------
Changes (by skaplun):
* status: new => in_merge
* milestone: v1.1 => v1.0
Comment:
This is now fully implemented in my public branch sam/https.
Replying to [comment:1 jcaffaro]:
> It should not be forgotten that embedding for eg. images through http on
an https page would lead to a complain from the browser (IE seems to be
quite strict on that point). This is an issue for external images that
cannot be served through https. For eg. the book cover at
http://cdsweb.cern.ch/record/1100851?of=HB
>
> A (annoying) workaround would be to load the images via Javascript, so
that the browser would (maybe) not complain.
In order to solve this, any external HTTP URL referenced in a src
attribute is rewritten to point to CFG_SITE_SECURE_URL/sslredirect/URL-
without-http-part. At the same time Apache is configured to redirect
anything under /sslredirect/ to http:// closing the circle.
--
Ticket URL: <http://invenio-software.org/ticket/565#comment:2>
Invenio <http://invenio-software.org>
