Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
if you're using non-ssl javascript cdn you should embed javascript ( or css ) like this: script type=text/javascript src=//code.jquery.com/jquery-latest.min.js /script // - its a protocolless javascript embedding technique :) good luck :) ps: it works with images, css, javascript too 2011/2/21 Jason Galea li...@eightdegrees.com.au you're not using a non-ssl cdn for your javascript libraries? (had me searching once..) On Mon, Feb 21, 2011 at 1:32 PM, will trillich will.trill...@serensoft.com wrote: Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie, which is great when you're rolling cookies by hand in your code. But how do you set a secure cookie in the context of a myapp.conf setup? session flash_to_stash = 1 dbic_class = MyApp::Session expires= 3600 cookie_secure = 1 # just kidding /session That's not doing the trick. Which doc reveals the right mojo? === This is in pursuit of stopping the Explorer error This page contains both secure and nonsecure items... Other than the doctype and the html xmlns= attribute, we can't find any http:// references, even looking in css @import and url() ... so the next culprit seems to be the nonsecure cookie. Other guidance is more than welcome! -- The first step towards getting somewhere is to decide that you are not going to stay where you are. -- J.P.Morgan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- Jason Galea Web Developer Ph 07 40556926 Mob 04 12345 534 www.eightdegrees.com.au ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
Nope it's not the javascript. Searching view-source for http://; shows only DOCTYPE, xmlns, !-- comments -- and links to other/external websites. The session cookie does show as non-secure, so that's why we're thinking it's the main culprit. Otherwise, is there a tool out there that helps discover what Explorer is griping about when it says this page contains both secure and nonsecure items...? On Mon, Feb 21, 2011 at 12:08 AM, Jason Galea li...@eightdegrees.com.auwrote: you're not using a non-ssl cdn for your javascript libraries? (had me searching once..) On Mon, Feb 21, 2011 at 1:32 PM, will trillich will.trill...@serensoft.com wrote: Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie, which is great when you're rolling cookies by hand in your code. But how do you set a secure cookie in the context of a myapp.conf setup? session flash_to_stash = 1 dbic_class = MyApp::Session expires= 3600 cookie_secure = 1 # just kidding /session That's not doing the trick. Which doc reveals the right mojo? === This is in pursuit of stopping the Explorer error This page contains both secure and nonsecure items... Other than the doctype and the html xmlns= attribute, we can't find any http:// references, even looking in css @import and url() ... so the next culprit seems to be the nonsecure cookie. Other guidance is more than welcome! -- The first step towards getting somewhere is to decide that you are not going to stay where you are. -- J.P.Morgan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- Jason Galea Web Developer Ph 07 40556926 Mob 04 12345 534 www.eightdegrees.com.au ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- The first step towards getting somewhere is to decide that you are not going to stay where you are. -- J.P.Morgan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
On Mon, Feb 21, 2011 at 6:11 AM, will trillich will.trill...@serensoft.com wrote: That's a neat trick -- hadn't heard of that one before. But the javascript isn't our nonsecure-items problem. Protocol free // isn't a javascript specific technique while we're on it. It simply means use the protocol that's currently in action. It will work for images and such as well as long as your server can send them secured. This technique was gaining traction 10 years ago but doesn't seem to get much use today. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
On 21 February 2011 14:09, will trillich will.trill...@serensoft.com wrote: Nope it's not the javascript. Searching view-source for http://; shows only DOCTYPE, xmlns, !-- comments -- and links to other/external websites. The session cookie does show as non-secure, so that's why we're thinking it's the main culprit. Otherwise, is there a tool out there that helps discover what Explorer is griping about when it says this page contains both secure and nonsecure items...? Hi, It shouldn't matter that it's not a secure cookie - that's just a flag that tells the browser it shouldn't send the cookie back to the same domain on any non-SSL requests. Cookies are sent as part of a request/response for a URL - so it's a URL that's the problem, not a cookie. I recommend you try viewing the page in a browser that will let you see all network requests - e.g. firefox with the firebug plugin running. Carl ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
2011/2/21 Oroszi, Róbert rob...@oroszi.net if you're using non-ssl javascript cdn you should embed javascript ( or css ) like this: script type=text/javascript src=//code.jquery.com/jquery-latest.min.js /script // - its a protocolless javascript embedding technique :) good luck :) IIRC, I tried this on a site a few years back and changed back -- unfortunately, for a reason that I can't remember now. Maybe it was related to this: http://www.stevesouders.com/blog/2010/02/10/5a-missing-schema-double-download/ (and linked from above) http://www.flickr.com/photos/jongalloway/4951687517/lightbox/ http://php5.skauti-pardubice.cz/IE7-missing-scheme-bug.php I don't have IE8 here. Can anyone confirm? -- Bill Moseley mose...@hank.org ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
Thanks for the cookie back-story, Carl. We're looking into a firefoxy diagnosis. On Mon, Feb 21, 2011 at 9:15 AM, Carl Franks fireart...@gmail.com wrote: On 21 February 2011 14:09, will trillich will.trill...@serensoft.com wrote: Nope it's not the javascript. Searching view-source for http://; shows only DOCTYPE, xmlns, !-- comments -- and links to other/external websites. The session cookie does show as non-secure, so that's why we're thinking it's the main culprit. Otherwise, is there a tool out there that helps discover what Explorer is griping about when it says this page contains both secure and nonsecure items...? Hi, It shouldn't matter that it's not a secure cookie - that's just a flag that tells the browser it shouldn't send the cookie back to the same domain on any non-SSL requests. Cookies are sent as part of a request/response for a URL - so it's a URL that's the problem, not a cookie. I recommend you try viewing the page in a browser that will let you see all network requests - e.g. firefox with the firebug plugin running. Carl ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- The first step towards getting somewhere is to decide that you are not going to stay where you are. -- J.P.Morgan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
Not sure if someone's suggested this so far, but perhaps one of the resources you're including using https: is getting a redirect back to a non-SSL URL? - john romkey http://www.romkey.com/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie, which is great when you're rolling cookies by hand in your code. But how do you set a secure cookie in the context of a myapp.conf setup? session flash_to_stash = 1 dbic_class = MyApp::Session expires= 3600 cookie_secure = 1 # just kidding /session That's not doing the trick. Which doc reveals the right mojo? === This is in pursuit of stopping the Explorer error This page contains both secure and nonsecure items... Other than the doctype and the html xmlns= attribute, we can't find any http:// references, even looking in css @import and url() ... so the next culprit seems to be the nonsecure cookie. Other guidance is more than welcome! -- The first step towards getting somewhere is to decide that you are not going to stay where you are. -- J.P.Morgan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Making secure session cookies (or, how do we make Explorer stop complaining about nonsecure content on a secure page?)
you're not using a non-ssl cdn for your javascript libraries? (had me searching once..) On Mon, Feb 21, 2011 at 1:32 PM, will trillich will.trill...@serensoft.com wrote: Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie, which is great when you're rolling cookies by hand in your code. But how do you set a secure cookie in the context of a myapp.conf setup? session flash_to_stash = 1 dbic_class = MyApp::Session expires = 3600 cookie_secure = 1 # just kidding /session That's not doing the trick. Which doc reveals the right mojo? === This is in pursuit of stopping the Explorer error This page contains both secure and nonsecure items... Other than the doctype and the html xmlns= attribute, we can't find any http:// references, even looking in css @import and url() ... so the next culprit seems to be the nonsecure cookie. Other guidance is more than welcome! -- The first step towards getting somewhere is to decide that you are not going to stay where you are. -- J.P.Morgan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ -- Jason Galea Web Developer Ph 07 40556926 Mob 04 12345 534 www.eightdegrees.com.au ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/