Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Redirecting from HTTP to HTTPS w/ Simple Auth

Tags:

ember.js

ember-simple-auth

I was hoping to get some recommendations on how to approach redirecting users from HTTP to HTTPS using an ember initializer with ember-simple-auth.

`import ENV from 'cio/config/environment'`

SSLInitializer =
  name: 'ssl'
  before: 'simple-auth-cookie-store'
  initialize: (container, application) ->
    application.deferReadiness()

    # Redirect if hitting HTTP and SSL is enabled
    if ENV.SSL and window.location.protocol is "http:"
      window.location.href = "https:" + window.location.href.substring(window.location.protocol.length)
      return false

    application.advanceReadiness()

`export default SSLInitializer`

But it seems that the cookie gets invalidated even when the if statement evaluates to true. I've tried several things, including:

  • before: 'simple-auth'
  • before: 'store'
  • application.destroy() within the if statement, before the window.location.href is set

From what I can tell, after debugging. The app does redirect to HTTPS, but then the cookieName is not found in document.cookie. (https://github.com/simplabs/ember-simple-auth/blob/master/packages/ember-simple-auth-cookie-store/lib/simple-auth-cookie-store/stores/cookie.js#L154)

Before this method worked because we had simple snippet in the index.html, but w/ CSP we'd like to keep it in an initializer. Any recommendations?

Thanks!

like image 276
alvincrespo Avatar asked Dec 19 '14 14:12

alvincrespo

1 Answers

You really should be forcing a redirect from HTTP to HTTPS from the server as doing it from the client does not add any real security.

Think about it, the user has downloaded the application to their browser from an insecure endpoint and from then on nothing can be trusted. Even a server based redirect is problematic since it relies on the redirect advice from an untrusted endpoint. Users should really be accessing things from an initial trusted starting point otherwise all bets are off. This is known as the secure referral problem and will likely never be solved because of the business model behind SSL certificates.

You also shouldn't really trust cookies from the untrusted HTTP domain in the trusted HTTPS domain unless you have a way to authenticate those cookies on the client. Sharing of cookies between HTTP/HTTPS is covered in RFC 2109 (Section 4.2.2 Set-Cookie Syntax).

This means:

  • A cookie set with "Secure" will be available only on HTTPS
  • A cookie set without "Secure" will be available on either HTTP or HTTPS.
like image 73
Andrew Hacking Avatar answered Oct 23 '22 20:10

Andrew Hacking
Sign in to Comment

Related questions

Inform ember-data about server changes
UI framework suggestion for Ember.js HTM5 => Phone Gap app (or alternative stack) [closed]
Dynamic sitemap.xml generation with Ember
What is the difference between different normalization/serialization hooks in ember data?
Recreate Similar Travis CI Console Log Interface
Ember fastboot works with at http api host but not an https one
optimal view structure with Ember.js for a mobile application
ember.js changing a view from another view
ember-data isValid, isSaving and isError
Embedded hasMany attribute access gives "TypeError: Cannot call method 'hasOwnProperty' of undefined"
Ember-data RecordArray isLoaded Status
EmberJS - register precompiled handlebars template
Struggling with Ember-data's REST adapter and nested resources
what is the role of router in a single page application
How to create an ember property dependent on a normal variable, function or logic?
EmberJS - How to dynamically generate link with linkTo?
Handlebars error: Could not find property 'query-params' although Feature activated
Emberjs application refresh on route other than index gives 404 error
Override buildURL method to include parent model's id
Filter by date range

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!