Wierd 'Being redirected to non-secure' warnings but entire site is SSL

Bill_Walton · March 9, 2007, 7:25pm

Greetings all,

Apologies in advance for the cross-post.

I just got a report that I really need some help understanding.

My site ( www.yourtimematters.com ) is set up so that

any attempted access to yourtimematters.com gets redirected to www.yourtimematters.com
all access to www.yourtimematters.com takes place using https://

The visitor I was walking through the app with (over the phone) was getting warnings as she advanced from page to page that she was “being redirected to a non-secure page.” If she clicked OK, she was taken to https:// the_next_page. This happened on every page within the app.

What could be causing this? The entire site is secured. All of the pages advance via a button that’s a form_tag{:controller => ‘some_controller’, :action => ‘some_action’} with nothing in the form but the submit_tag. All the pages are being served from the app by mongrel through Apache to the browser.

This is the only visitor that’s seen this behavior, but I assume that if she saw it, others will too. She was accessing the site from her office at Adobe, so I assume there’s some pretty heavy firewall stuff going on. Could something on her end be causing this?

Any ideas?

Thanks in advance,

Bill

wesgarrison · March 9, 2007, 7:33pm

Looks like your "mainnav" links are hard-coded to http, not https. Are you using link_to everywhere?

-- Wes

Bill_Walton · March 9, 2007, 9:52pm

Hi Wes,

wesgarrison wrote:

Looks like your "mainnav" links are hard-coded to http, not https.

That was a good catch. I'd forgotten to change that. Unfortunately, that wasn't it.

Are you using link_to everywhere?

No. The problem looks to be caused when I'm doing a redirect_to from one controller method to another. That generates a 302 header which IE 6 is having a problem with.

Do you (or anyone reading this) know if the 302 header says anything about where the move is headed? Like maybe there's a default setting that says "going to http://"+new_location that I could override and get to say "going to https://"+new_location ? Do routes maybe figure in this somehow? Any ideas are very, very welcome.

Thanks, Bill

wesgarrison · March 9, 2007, 11:48pm

I've used this before to force everything to https:

In application.rb:

# Force https usage for all links and redirects # Only do this in production-ish modes, though, because localhost # probably doesn't have SSL enabled if %w(production staging demo etc).include?(ENV['RAILS_ENV']) def default_url_options(options) { :protocol => 'https://' } end end

As for the redirects, your log should have a line like this: Redirected to http://127.0.0.1:3000/ Completed in 0.09400 (10 reqs/sec) | DB: 0.09400 (100%) | 302 Found [http://127.0.0.7/etc/show\]

That'd show you if you're being redirected to https or not. I'd try the first thing to see if it worked, though. If anyone else has a reason not to do that, I'd like to hear it, too. It's worked okay for me for several months, though.

-- Wes

Bill_Walton · March 10, 2007, 12:53am

Way cool. Looks like what I'd expected to find. Thank you. I'll give it a shot and let you know what happens.

Thanks much, Bill