SSL: stay on ssl when request is ssl #434

Closed
mworrell opened this Issue Oct 1, 2012 · 2 comments

Comments

Projects
None yet
2 participants
Owner

mworrell commented Oct 1, 2012

A new option: when we are handling a request via ssl, then keep all redirects etc under ssl.

The default is now to switch to non-ssl when ssl is not explicitly set.

mworrell was assigned Oct 1, 2012

Owner

kaos commented Oct 2, 2012

I assume this is to avoid mixing insecure and secure data on the same page. +1 :)

Owner

mworrell commented Oct 2, 2012

Also to make it easier to keep your session cookie secure. Maybe a side effect could be to set the 'secure' flag on the session cookie.

Maybe we should call it 'ssl_secure_session' and keep everything (and the session cookie) in SSL unless explicitly stated otherwise in the dispatch rule.

mworrell closed this in 54e60f6 Oct 2, 2012

@rpip rpip pushed a commit to rpip/zotonic that referenced this issue Aug 12, 2013

@mworrell mworrell mod_ssl: Added mod_ssl, enables ssl certs per site. Removed ssl from …
…the core. Tuned dispatch rules for more secure usage. Fixes #434. Fixes #433.
6d3d719
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment