Wierd 'Being redirected to non-secure' warnings but entire site is SSL

Greetings all,

Apologies in advance for the cross-post.

I just got a report that I really need some help understanding.

My site ( www.yourtimematters.com ) is set up so that

  1. any attempted access to yourtimematters.com gets redirected to www.yourtimematters.com

  2. all access to www.yourtimematters.com takes place using https://

The visitor I was walking through the app with (over the phone) was getting warnings as she advanced from page to page that she was “being redirected to a non-secure page.” If she clicked OK, she was taken to https:// the_next_page. This happened on every page within the app.

What could be causing this? The entire site is secured. All of the pages advance via a button that’s a form_tag{:controller => ‘some_controller’, :action => ‘some_action’} with nothing in the form but the submit_tag. All the pages are being served from the app by mongrel through Apache to the browser.

This is the only visitor that’s seen this behavior, but I assume that if she saw it, others will too. She was accessing the site from her office at Adobe, so I assume there’s some pretty heavy firewall stuff going on. Could something on her end be causing this?

Any ideas?

Thanks in advance,


Looks like your "mainnav" links are hard-coded to http, not https.
Are you using link_to everywhere?

  -- Wes

Hi Wes,

wesgarrison wrote:

Looks like your "mainnav" links are hard-coded to http,
not https.

That was a good catch. I'd forgotten to change that. Unfortunately, that wasn't it.

Are you using link_to everywhere?

No. The problem looks to be caused when I'm doing a redirect_to from one controller method to another. That generates a 302 header which IE 6 is having a problem with.

Do you (or anyone reading this) know if the 302 header says anything about where the move is headed? Like maybe there's a default setting that says "going to http://"+new_location that I could override and get to say "going to https://"+new_location ? Do routes maybe figure in this somehow? Any ideas are very, very welcome.


I've used this before to force everything to https:

In application.rb:

# Force https usage for all links and redirects
# Only do this in production-ish modes, though, because localhost
# probably doesn't have SSL enabled
  if %w(production staging demo etc).include?(ENV['RAILS_ENV'])
    def default_url_options(options)
      { :protocol => 'https://' }

As for the redirects, your log should have a line like this:
Redirected to
Completed in 0.09400 (10 reqs/sec) | DB: 0.09400 (100%) | 302 Found

That'd show you if you're being redirected to https or not. I'd try
the first thing to see if it worked, though. If anyone else has a
reason not to do that, I'd like to hear it, too. It's worked okay for
me for several months, though.

   -- Wes

Way cool. Looks like what I'd expected to find. Thank you. I'll give it a shot and let you know what happens.

Thanks much,