[ic] AlwaysSecure is not working
interchange-users@interchange.redhat.com
interchange-users@interchange.redhat.com
Mon Feb 25 20:15:01 2002
On Tue, Feb 26, 2002 at 01:18:27AM +0100, Joachim Leidinger wrote:
> Kyle Cook wrote:
> > Joachim,
> >
> > If you use area and page tags and set AlwaysSecure then the url is built to
> > be secure.
>
> Yes! Right!
>
> > To have IC "switch to secure" would require a redirect to the browser after the
> > browser requested an unsecure page.
> >
> > Technically it would be possible to redirect GET, but not possible to
> > redirect POST.
>
> It is the get methode! I simple type the url to the checkout page in to
> the url bar of my browser.
>
> > But there still remains the problem that the first call to an unsecure page
> > passes
> > all information insecurely before any redirect could be done.
>
> Why is IC checking the url, page and name for secure by AlwaysSecure in
> that page and not recognizing that the calling page itself is to be
> secure? What I mean is,
>
> AlwaysSecure a b c
>
> Page A has a link/url to b and c:
>
> Manual calling the page a in my browser is showing the page a *insecure*
> and the link/url in that page to the page b and c *is* secure.
>
> I'm wondering! IC is knowing, which page is calling and parse that page
> to check whether the another calling pages is set to be secure or not
> and is not able to recognize the calling page itselft is to be secure?
Yeah, I remember getting bitten by "AlwaysSecure" and concluding that
might not have been the best name for the option.
Why not write a little [usertag] to check path and permissions
as appropriate for your setup and to send redirect elsewhere
for failures?
--
Christopher F. Miller, Publisher cfm@maine.com
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Content/site management, online commerce, internet integration, Debian linux