I have found this, but i'm not sure how to apply in my 3.8.2 installation...
# # rt-3.4.4-ForceHTTPSLogin.patch # # Warning: this patch is under devel, barely tested!!! # # * 2005.01.06 Paulo Matos <[email protected]> # - Redirect to https when credentials are not found; # - Redirect to http when credentials are found; # - Changed cookiename removing SERVER_PORT. # diff -uNr rt-3.4.4.orig/html/autohandler rt-3.4.4/html/autohandler --- rt-3.4.4.orig/html/autohandler 2005-02-01 14:20:40.000000000 +0000 +++ rt-3.4.4/html/autohandler 2006-01-06 03:51:29.000000000 +0000 @@ -72,6 +72,11 @@ $m->comp('/Elements/SetupSessionCookie', %ARGS); +# check credentials and HTTPS, if so redirect to HTTP +if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id && $ENV{'HTTPS'}) { + $m->redirect('http://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI}); +} + unless ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) { $session{'CurrentUser'} = RT::CurrentUser->new(); } @@ -218,6 +223,10 @@ # If we have no credentials else { + # check if we are in HTTPS mode + if (! $ENV{'HTTPS'} ) { + $m->redirect('https://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI}); + } $m->comp('/Elements/Login', %ARGS); $m->abort(); } diff -uNr rt-3.4.4.orig/html/Elements/SetupSessionCookie rt-3.4.4/html/Elements/SetupSessionCookie --- rt-3.4.4.orig/html/Elements/SetupSessionCookie 2005-04-18 02:44:50.000000000 +0100 +++ rt-3.4.4/html/Elements/SetupSessionCookie 2006-01-06 03:51:46.000000000 +0000 @@ -47,7 +47,9 @@ return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook my %cookies = CGI::Cookie->fetch(); -my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'}; +# removed SERVER_PORT from cookie name so it can be valid on HTTP and HTTPS +#my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'}; +my $cookiename = "RT_SID_".$RT::rtname.".".'0000'; my %backends = ( mysql => 'Apache::Session::MySQL', Pg => 'Apache::Session::Postgres', Regards, On Fri, Jan 23, 2009 at 10:02 AM, Emmanuel Lacour <[email protected]>wrote: > On Fri, Jan 23, 2009 at 09:57:41AM -0430, Eliezer E Chávez wrote: > > But after the login, the page will return to http? > > > > humm, no because it's the same url :( > > you can also modify the login page to do the POST using https, but that > doesn't solve this. > > sure it's possible, but that will need more modifications I think and I > don't have yet enough time to find which :/ > > or ... use full https for you're RT ;) > > _______________________________________________ > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users > > Community help: http://wiki.bestpractical.com > Commercial support: [email protected] > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > -- Eliezer E Chávez +58-416-6125676 [email protected] >>http://www.bumeran.com.ve/cv/eliezer-chavez
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
