[BLUG] Perl CGI::Session & Redirection from https to http

Peter G. Brown blug_at_mailman.cs.indiana.edu
Thu, 11 Jan 2007 09:19:15 -0500 

Thanks Mark. 

[Just in case I am not being clear the perl CGI::Session is not related to the 
http/https question]

On Thursday 11 January 2007 08:39, Mark Krenz wrote:
>   I waiting to give someone else a chance to answer.
>
>   Joe is right.  Most people who want to force people to use https (SSL)
> use rewrite rules to do it.  Not something in the program.  You want to
> force people to use SSL not only for their protection, but for your
> protection.  Doing it in the program might open a door for someone to
> change the https back to http and login unencrypted.  While some people
> might think "Well if that's what they want to do, then fine", I think "I
> don't want people sniffing the network to have any oppurtunity to see
> data they shouldn't be".
>
>  Here is what you'd need to do in the apache global config or htaccess
> file:
>
> RewriteEngine On
> RewriteCond %{SERVER_PORT} ^80$
> RewriteRule (.*) https://www.yourdomain.com/$1 [R]
>
>  Put that in the directory that you want to be protected.
>
>  It is probably better to put this in the global config, but that's
> optional.
>
> Mark
>
> On Thu, Jan 11, 2007 at 12:59:36PM GMT, Peter G. Brown [pgb_at_kiva.net] said 
the following:
> > Thanks Joe for the tip - no takers on CGI::Session?
> >
> > On Wednesday 10 January 2007 15:17, Joe Auty wrote:
> > > Couldn't you just do this with a redirect command in an .htaccess
> > > file? Seems much easier...
> > >
> > > On Jan 10, 2007, at 2:39 PM, Peter G. Brown wrote:
> > > > Hello,
> > > >
> > > > 1. I would like to know if anyone has/is using the Perl
> > > > CGI::Session module as
> > > > I have some questions which googling has not resolved.
> > > >
> > > > 2. I have seen code for asp in how to redirect from https (same
> > > > server in my
> > > > case) to http but haven't seen anything that has worked using perl
> > > > - (print
> > > > redirect ('http://host/news.html'); ) is not redirecting to the
> > > > http but the
> > > > https.
> > > >
> > > > 3. Which raised this question - my login page is through the https
> > > > port (again
> > > > same server) e.g. https://ephesus/login.html (test server) but if I
> > > > enter
> > > > http://ephesus/login.html (the non secure 80 port) it processes my
> > > > details -
> > > > all non encrypted. I would like some kind of error on loading the
> > > > page (not
> > > > after entering username & password) and a redirect to https should
> > > > this
> > > > happen.
> > > >
> > > > Thank you,
> > > > Peter Brown
> > > > _______________________________________________
> > > > BLUG mailing list
> > > > BLUG_at_linuxfan.com
> > > > http://mailman.cs.indiana.edu/mailman/listinfo/blug
> > >
> > > _______________________________________________
> > > BLUG mailing list
> > > BLUG_at_linuxfan.com
> > > http://mailman.cs.indiana.edu/mailman/listinfo/blug
> >
> > _______________________________________________
> > BLUG mailing list
> > BLUG_at_linuxfan.com
> > http://mailman.cs.indiana.edu/mailman/listinfo/blug