ForceHTTPSLogin
Jump to navigation
Jump to search
#
# rt-3.4.5-ForceHTTPSLogin.patch
#
# Warning: this patch is under devel, barely tested!!!
#
# * 2005.01.13 Paulo Matos <paulo.matos@fct.unl.pt>
# - Updated to apply directly to 3.4.5.
# * 2005.01.06 Paulo Matos <paulo.matos@fct.unl.pt>
# - Redirect to https when credentials are not found;
# - Redirect to http when credentials are found;
# - Changed cookiename removing SERVER_PORT.
#
diff -uNr rt-3.4.5.orig/html/autohandler rt-3.4.5/html/autohandler
--- rt-3.4.5.orig/html/autohandler 2005-02-01 14:20:40.000000000 +0000
+++ rt-3.4.5/html/autohandler 2006-01-13 01:20:03.000000000 +0000
@@ -72,6 +72,11 @@
$m->comp('/Elements/SetupSessionCookie', %ARGS);
+# check credentials and HTTPS, if so redirect to HTTP
+if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id && $ENV{'HTTPS'}) {
+ $m->redirect('http://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+}
+
unless ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
$session{'CurrentUser'} = RT::CurrentUser->new();
}
@@ -218,6 +223,10 @@
# If we have no credentials
else {
+ # check if we are in HTTPS mode
+ if (! $ENV{'HTTPS'} ) {
+ $m->redirect('https://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+ }
$m->comp('/Elements/Login', %ARGS);
$m->abort();
}
diff -uNr rt-3.4.5.orig/html/Elements/SetupSessionCookie rt-3.4.5/html/Elements/SetupSessionCookie
--- rt-3.4.5.orig/html/Elements/SetupSessionCookie 2005-04-18 02:44:50.000000000 +0100
+++ rt-3.4.5/html/Elements/SetupSessionCookie 2006-01-13 01:20:03.000000000 +0000
@@ -47,7 +47,9 @@
return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook
my %cookies = CGI::Cookie->fetch();
-my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+# removed SERVER_PORT from cookie name so it can be valid on HTTP and HTTPS
+#my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+my $cookiename = "RT_SID_".$RT::rtname.".".'0000';
my %backends = (
mysql => 'Apache::Session::MySQL',
Pg => 'Apache::Session::Postgres',