I'm working on implementing SSL in my application and I have a question about how redirect_to actually works. Here's a scenario:
Suppose I want my login action to be available only over SSL so the username and password will be transmitted encrypted. In my controller, I would have something like
before_filter :require_ssl, :only => {:login}
and
def require_ssl redirect_to :protocol => 'https://' unless (request.ssl? or request.local?) end
[ by the way, this is not necessarily how I'm doing it in my app, but this works very well for this question]
When the browser makes the initial request to the server, is the form data passed along at that time or is the redirect handled in some sort of handshaking process before the form data is passed? If the data is passed to the server in the initial request, then it will be unencrypted if it comes in on http, which really does no good because it is exposed between the client and server.
The question I'm trying to answer for myself is do I want my entire application behind ssl, just to be safe, or do I want to leave open those actions that don't really need it (very few in this case). I noticed that when you go to http://www.paypal.com, you are automatically redirected to https, so even the login form is already behind ssl.
Thanks for any insight and help in understanding this process.
Peace, Phillip