[ic] ExtraSecure and special_pages/violation
Thomas J.M. Burton
tom at globalfocusdm.com
Wed Dec 16 20:16:53 UTC 2009
Hi IC Users,
I've come across the issue of being able to access pages that are set in
the AlwaysSecure config setting using a direct URL and the http protocol
rather than https. From what I've been able to find on the users list
and in the docs, it appears that if ExtraSecure is enabled and an
AlwaysSecure page is accessed via http rather than https (directly, from
a browser's location bar), the user is redirected to the
special_pages/violation page.
The problem that I see is that the violation page contains a login form,
indicating that the page is only accessible if they are logged in.
However, if an AlwaysSecure page is accessed directly through an http
url in the browser's address bar AND the user is already logged in, the
violation page is displayed with a "you are already logged in" message.
More information about the interchange-users
mailing list