[rt-users] RT Login Page with SSL

Eliezer E Chávez eliezer.chavez at gmail.com
Fri Jan 23 09:53:01 EST 2009 

I have found this, but i'm not sure how to apply in my 3.8.2 installation...

#
# rt-3.4.4-ForceHTTPSLogin.patch
#
# Warning: this patch is under devel, barely tested!!!
#
# * 2005.01.06 Paulo Matos <paulo.matos at fct.unl.pt>
# - Redirect to https when credentials are not found;
# - Redirect to http when credentials are found;
# - Changed cookiename removing SERVER_PORT.
#
diff -uNr rt-3.4.4.orig/html/autohandler rt-3.4.4/html/autohandler
--- rt-3.4.4.orig/html/autohandler	2005-02-01 14:20:40.000000000 +0000
+++ rt-3.4.4/html/autohandler	2006-01-06 03:51:29.000000000 +0000
@@ -72,6 +72,11 @@

 $m->comp('/Elements/SetupSessionCookie', %ARGS);

+# check credentials and HTTPS, if so redirect to HTTP
+if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id && $ENV{'HTTPS'}) {
+    $m->redirect('http://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+}
+
 unless ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
     $session{'CurrentUser'} = RT::CurrentUser->new();
 }
@@ -218,6 +223,10 @@

 # If we have no credentials
 else {
+    # check if we are in HTTPS mode
+    if (! $ENV{'HTTPS'} ) {
+         $m->redirect('https://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+    }
     $m->comp('/Elements/Login', %ARGS);
     $m->abort();
 }
diff -uNr rt-3.4.4.orig/html/Elements/SetupSessionCookie
rt-3.4.4/html/Elements/SetupSessionCookie
--- rt-3.4.4.orig/html/Elements/SetupSessionCookie	2005-04-18
02:44:50.000000000 +0100
+++ rt-3.4.4/html/Elements/SetupSessionCookie	2006-01-06
03:51:46.000000000 +0000
@@ -47,7 +47,9 @@
 return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook

 my %cookies = CGI::Cookie->fetch();
-my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+# removed SERVER_PORT from cookie name so it can be valid on HTTP and HTTPS
+#my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+my $cookiename = "RT_SID_".$RT::rtname.".".'0000';
 my %backends = (
     mysql	=> 'Apache::Session::MySQL',
     Pg		=> 'Apache::Session::Postgres',


Regards,

On Fri, Jan 23, 2009 at 10:02 AM, Emmanuel Lacour
<elacour at easter-eggs.com>wrote:

> On Fri, Jan 23, 2009 at 09:57:41AM -0430, Eliezer E Chávez wrote:
> > But after the login, the page will return to http?
> >
>
> humm, no because it's the same url :(
>
> you can also modify the login page to do the POST using https, but that
> doesn't solve this.
>
> sure it's possible, but that will need more modifications I think and I
> don't have yet enough time to find which :/
>
> or ... use full https for you're RT ;)
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>



-- 
Eliezer E Chávez
+58-416-6125676
eliezer.chavez at gmail.com
>>http://www.bumeran.com.ve/cv/eliezer-chavez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090123/c09f67f1/attachment.htm>

More information about the rt-users mailing list