amt has asked for the wisdom of the Perl Monks concerning the following question:

Gentlemen,

Now that my application is moving into production, I need to make the login process a little more secure. Can someone please impart some knowledge, or direct my towards the answer to redirecting a page that is accessed with HTTP, to be redirected to HTTPS. Would I use CGI.pm's redirection?

Many thanks.

amt.

perlcheat

Replies are listed 'Best First'.
Re: Redirecting to HTTPS
by tachyon (Chancellor) on Oct 01, 2004 at 00:19 UTC

    Note that when moving from http to https you want your pages/templates to use relative links for JS, CSS, and images. If you have <img src="http://mysite.com/image.gif"> and call it via https your users will get a "This page contains secure and incecure items....." warning.

    cheers

    tachyon

[reply]
[d/l]
Re: Redirecting to HTTPS
by ikegami (Patriarch) on Sep 30, 2004 at 21:09 UTC
    If the form itself is on an insecure page, and you want the form to be submitted to a secture script, you can simply set the action= to the HTTPS URL.As for redirecting to a secure site, CGI.pm's redirection works fine for HTTPS URLs:
    print $query->redirect('https://...') unless ($cgi->https());

[reply]
[d/l]
      Hi,
      I have the form and submit to say http://myserver/mysite/logon.cgi then ,i redirect using CGI.pm , then would the context i hold in request ,be carried over to the HTTPS?
      Regards,
      Swaroop
[reply]

        How do you pass session around? hidden fields: works. cookies: I think http cookies are also sent to https. url field: works.

        Keep in mind that login.cgi should not *submit* to http: and then redirect to https:... It's already sent the login info in the clear!

[reply]
Re: Redirecting to HTTPS
by Zed_Lopez (Chaplain) on Oct 01, 2004 at 00:41 UTC

    One note on user expectations: every browser I know of displays its security padlock icon based on whether the most recent response was delivered securely. They don't tell you anything about whether any forms you're about to submit will be submitted securely or not.

    So if your login page is delivered by an insecure server, but it submits the form to a secure server (which is fine from the perspective of actual security), the security icon will be off, and some people will think their password submission will be insecure.

    In short, deliver the page with the login form securely -- it'll make some users feel better.

[reply]
Re: Redirecting to HTTPS
by dragonchild (Archbishop) on Sep 30, 2004 at 22:20 UTC
    This is something you want to do in the webserver. For example, I use Apache and I have a RedirectMatch on the insecure port to the secure port. That way, people can still use the insecure address, but are immediately redirected. I'm sure there's something similar in IIS and other webservers.

    Being right, does not endow the right to be rude; politeness costs nothing.
    Being unknowing, is not the same as being stupid.
    Expressing a contrary opinion, whether to the individual or the group, is more often a sign of deeper thought than of cantankerous belligerence.
    Do not mistake your goals as the only goals; your opinion as the only opinion; your confidence as correctness. Saying you know better is not the same as explaining you know better.

[reply]
Re: Redirecting to HTTPS
by dws (Chancellor) on Oct 01, 2004 at 04:04 UTC

    On the off chance that you're using Apache and can edit /etc/httpd/conf/httd.conf (or the equivalent), something like the following might work: 

      RewriteEngine on
  RewriteRule (.*)     https://%{HTTP_HOST}$1      [R]

    [download]

    You might get by with putting this in a top-level .htaccess, though this might also require adding 

      Options FollowSymLinks

    [download]

    (At least that worked once for me, after wresting with a cryptic error message.)

[reply]
[d/l]
[select]
Re: Redirecting to HTTPS
by insensate (Hermit) on Sep 30, 2004 at 20:50 UTC
    It would help to know what webserver you are using?
[reply]

Back to Seekers of Perl Wisdom