[Zope] Re: SSL Redirect for CookieCrumbler

Josef Meile jmeile at hotmail.com
Fri Jun 16 12:03:40 EDT 2006 

> I need to redirect all my http requests to the login_form of the
> CookieCrumble to https, so, I wrote this rule in apache:
> 
> RewriteRule ^/login/login_form(.*) https://server/login/login_form$1 [NE,L]
> 
> It authenticates me through ssl, but then it cames back to http. I saw that
> the problem is that the came_from variable refers to the original http
> request; something like this:
> 
> https://server/login/login_form?came_from=http%3A//server/page&retry=&disabl
> e_cookie_login__=1

Ok, finally I found a way of correcting this behavior without modifying 
my original RewriteRule. I added a new boolean attribute to the 
CookieCrumbler class: "ssl_redirect". If it is set, then the http Part 
in the came_from variable will be replaced by https. All this would be 
done inside the getUnauthorizedURL method of the CookieCrumbler class 
(See the attachment).

If you think there is a better way of doing this, please let me know.

Regards
Josef

Note: The patch was done for the CookieCrumbler v1.2
-------------- next part --------------
diff -Naur CookieCrumbler_old/CookieCrumbler.py CookieCrumbler_new/CookieCrumbler.py
--- CookieCrumbler_old/CookieCrumbler.py	2004-06-14 18:34:36.000000000 +0200
+++ CookieCrumbler_new/CookieCrumbler.py	2006-06-16 17:34:04.000000000 +0200
@@ -83,6 +83,9 @@
                     'label':'Use cookie paths to limit scope'},
                    {'id':'cache_header_value', 'type': 'string', 'mode':'w',
                     'label':'Cache-Control header value'},
+                   #SSL Redirection from Josef Meile
+                   {'id':'ssl_redirect', 'type': 'boolean', 'mode':'w',
+                    'label':'Use ssl after login'},
                    )
 
     auth_cookie = '__ac'
@@ -95,6 +98,9 @@
     local_cookie_path = 0
     cache_header_value = 'no-cache'
 
+    #Patch from Josef Meile
+    ssl_redirect = 0
+
     security.declarePrivate('delRequestVar')
     def delRequestVar(self, req, name):
         # No errors of any sort may propagate, and we don't care *what*
@@ -315,6 +321,11 @@
                 came_from = req.get('came_from', None)
                 if came_from is None:
                     came_from = req.get('URL', '')
+
+                    #Patch from Josef Meile in order to redirect to ssl if using http
+                    if self.ssl_redirect and came_from.startswith('http:'):
+                        came_from = 'https' + came_from[4:]
+		    
                     query = req.get('QUERY_STRING')
                     if query:
                         # Include the query string in came_from
@@ -371,6 +382,14 @@
                 return p.get('label', id)
         return id
 
+    #Patch from Josef Meile
+    def __setstate__(self,state):
+        #This method adds new attributes and deletes old ones each time
+        #that you view old instances of the class
+        Folder.__setstate__(self,state)
+        if not hasattr(self,'ssl_redirect'):
+            self.ssl_redirect = 0
+
 Globals.InitializeClass(CookieCrumbler)

More information about the Zope mailing list