Re: [Invenio] #565: Always using HTTPS for logged-in users

Mon, 31 Oct 2011 07:05:03 -0700 

#565: Always using HTTPS for logged-in users
--------------------------+-----------------------------------------------
  Reporter:  skaplun      |      Owner:  Samuele Kaplun <samuele.kaplun@…>
      Type:  enhancement  |     Status:  closed
  Priority:  major        |  Milestone:  v1.0
 Component:  WebSession   |    Version:
Resolution:  fixed        |   Keywords:  HTTPS session cookie
--------------------------+-----------------------------------------------
Changes (by Samuele Kaplun <samuele.kaplun@…>):

 * owner:   => Samuele Kaplun <samuele.kaplun@…>
 * status:  in_merge => closed
 * resolution:   => fixed


Comment:

 In [c1e3691cc782ecc9f641585d23024ea070ee1c8b]:
 {{{
 #!CommitTicketReference repository=""
 revision="c1e3691cc782ecc9f641585d23024ea070ee1c8b"
 WebStyle: authenticated user HTTPS support

 * When using SSO authentication based on Shibboleth, no longer
   expect Shibboleth to be triggered for every HTTPS requests but
   only for /youraccount/login and /youraccount/keepssoalive, the
   latter being referenced by a hidden IFRAME and pinged
   regularly to, indeed, keep the SSO session alive.

   This change is necessary in order to allow Invenio to
   be executed fully over HTTPS, without Shibboleth authentication
   to be triggered upon every request.

 * Additionally if CFG_SITE_URL uses HTTPS, then any HTTP request
   will be re-routed to HTTPS and the cookie session will be
   sent only via HTTPS.

 * If serving an HTTPS request and MathJax is enabled and is
   configured to use the CDN, that the HTTPS-based URL
   for the MathJax CDN will be used.

 * Any external URL being referenced by an src attribute of an
   HTML page served by Invenio over HTTPS is now rewritten
   to point to CFG_SITE_SECURE_URL/sslredirect/URL so that
   the URL looks like HTTPS and browsers do not complain.

 * Any local URL being referenced by a src or href attribute of
   an HTML page served by Invenio over HTTPS is now rewritten
   to point to CFG_SITE_SECURE_URL.
   (closes #565)

 * Note: beware you should update your Apache configuration (e.g. by
   running "inveniocfg --create-apache-conf" in order to add to the
   SSL part a global redirection directive of the form
   "RedirectMatch /sslredirect/(.*) http://$1";.
 }}}

-- 
Ticket URL: </ticket/565#comment:3>
Invenio <http://invenio-software.org>

Reply via email to