Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi -- On my site http://www.aaa.com I have a link to https://www.bbb.com/redirect. /redirect is handled by Redirect.pm, a mod_perl 2 module which sets a cookie and redirects. The redirect goes over to http://www.ccc.com. Note aaa is regular http, bbb is secure https, and ccc is regular http. The redirect is simple 
my $cookie_out = CGI::Cookie->new( 
-name => $hitid, 
-value => $cell, 
-domain => 'www.bbb.com', 
-path => '/', 
-secure => $ENV{HTTPS}, 
-expires => '+1d', 
); 

$r->err_headers_out->add('Set-Cookie' => 
$cookie_out); 
$r->headers_out->set(Location => $url); 
return &Apache::REDIRECT;

[download]
In Netscape, when clicking on the link from aaa to bbb, the brower puts up a popup warning "You have requested an encrypted page that contains some unencrypted information..." What does this warning mean? The bbb page is contentless, just a redirect -- what is insecure on it? Is there some mod_perl magic that would avoid this warning? Thanks

Replies are listed 'Best First'.
Re: encrypted page contains
by liz (Monsignor) on Oct 17, 2003 at 10:51 UTC
    There is no mod_perl magic that can avoid this. This is a browser feature / setting.

    The error means what it says: a link to a http:// URL from a page fetched with a https:// URL.

    Liz

[reply]
Re: encrypted page contains
by oghran (Initiate) on Oct 17, 2003 at 12:44 UTC
    Ive had that before and it related to referencing a non secure image (from http://...) within a secure web page (https:///...). From your code though it looks like you're just setting a cookie, and redirecting with no content though.

    You don't suppose you are setting a nonsecure cookie from the secure domain ? .. Might be worth a look.

[reply]
Re: encrypted page contains
by inman (Curate) on Oct 17, 2003 at 13:20 UTC
    Try returning an HTML page that is just a blank page with a redirect tag in the head.

    <meta http-equiv="refresh" content="0;URL=http://www.ccc.com">

    [download]

    This should do a near instantaneous refresh without the browser complaining.

    inman

[reply]
[d/l]
      Sorry. I was lying.

      It would appear that any redirect, regardless of how it is achieved, will cause the browser to complain if the redirection is from an HTTPS site to an HTTP site. The text of the complaint will vary according to browser and in this case sounds misleading.

      The browser is basically pointing out that an automatic transition between a secured and normal site could be risky. The same sort of thing happens wheb you try and submit form data to an HTTP host from and HTTPS page.

      I think that you are going to have to just live with this one!

      inman

[reply]

Back to Seekers of Perl Wisdom