Ticket #276 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

HTTPS for all Authenticated Sessions

Reported by: chris Owned by: chris
Priority: major Milestone: Phase 4
Component: Drupal modules & settings Keywords:
Cc: ed,jim Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 2.15

Description

I'm starting a separate ticked on this so it's easier to track, some previous discussion is on ticket:224#comment:8

Change History

comment:1 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

The Session 443 module http://drupal.org/project/session443 is installed and enabled, there are no apache level redirects from http to https and the secure pages module isn't installed any more, so eveything should work OK... but...

One problem, if you login here:

https://dev.transitionnetwork.org/user/login

Two secure cookies are set, everything seems fine (apart from the ticket:277 which I'm ignoring for now).

Then if you visit the http version of the site, http://dev.transitionnetwork.org/ an insecure Drupal session cookie is set which then in effect logs you out from the site when you go back to a https page.

Perhaps the switch for varnish ticket:224 for port 80 and removing all session cookies at a varnish level would solve this, or perhaps it can be solved at a Drupal level?

Is there a way to not generate session cookies for anon users?

I'll do some searching...

comment:2 Changed 5 years ago by jim

There's http://drupal.org/project/no_anon with side effects unknown (but I can't think of any off the top of my head) and further info here http://groups.drupal.org/node/66888

comment:3 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.25 to 0.35

There's http://drupal.org/project/no_anon with side effects unknown (but I can't think of any off the top of my head)

Ooh that sounds good, it would be nice if we didn't have to remove cookies at a Varnish level and this module could solve the issue with people being logged out, would you be OK installing this module so we can experiment with it?

comment:4 Changed 5 years ago by jim

I've pushed the module through SVN to DEV, and enabled it.

comment:5 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.35 to 0.45

I've pushed the module through SVN to DEV, and enabled it.

Does it have an admin interface?

I'm still seeing cookies being set for anon users.

comment:6 Changed 5 years ago by jim

No admin interface... I'm seeing session cookies only be created occasionally. Other cookies pop up, but they're from Google etc.

Actually Pressflow (as is now running on DEV and LIVE) provides two interesting modules:

  • Cookie cache bypass -Sets a cookie on form submission directing a reverse proxy to temporarily not serve cached pages for an anonymous user that just submitted content.
  • Path alias cache - A path alias implementation which adds a cache to the core version.

And apparently Pressflow already has lazy anon session creation - only when needed, which explains why the session cookie is only there sometimes (try deleting it in Chrome/whatever and moving around - only certain pages/operation create as session).

So I have a feeling this No Anon Session stuff is a dead end because a) Pressflow already minimises session creation (https://wiki.fourkitchens.com/display/PF/Comparison+-+Pressflow+versus+Drupal), b) We need anon sessions sometimes - like after a user sends a message, or for CAPTCHA etc, c) I have a suspicion more stuff will break, d) The module hasn't been touched for a long time and is effectively abandoned.


Soooo.... Shall we try to set up Varnish to allow a few cookies, perhaps enabling the above modules? Is that a huge PITA? What do you reckon?

comment:7 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.45 to 0.55

I'm seeing session cookies only be created occasionally.

That's now what I see, if I delete the browsers cookies for the domain and hit http://dev.transitionnetwork.org/ I get a session cookie set straight away.

We need anon sessions sometimes - like after a user sends a message, or for CAPTCHA etc

Shouldn't messages be sent only via HTTPS? And the same for CAPTCHA?

Shall we try to set up Varnish to allow a few cookies

Which ones? This is doable but I'm not sure it's necessary yet...

comment:8 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.55 to 0.65

I have added a Redirect for port 80 requests to /contact:

RedirectPermanent /contact https://dev.transitionnetwork.org/contact

To see if this works OK, does the map still work? No-script blocks it for me in any case.

comment:9 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.3
  • Total Hours changed from 0.65 to 0.95

The contact form seems to work fine with HTTPS:

From: info@transitionnetwork.org
Date: Thu, 23 Jun 2011 14:06:48 +0100 (BST)
To: "Chris Croome" <chris@webarchitects.co.uk>
Subject: [General enquiry] Testing HTTPS on https://dev.transitionnetwork.org/                                                                        
Thank you for your enquiry. We will get back to you shortly. If you don't get  
an instant reply, don't panic! We have got a lot on our plates and we are                                                                             
juggling most of them.                                                                                
Thanks.                     

comment:10 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 1.0
  • Total Hours changed from 0.95 to 1.95

Adding HTTPS meeting time and notes to the ticket:

AGREED: Security: all authenticated sessions via https

AGREED: Security: some exceptions for port 80 where cookies can be set to allow specific funct. to work

AGREED: Security: non-authenticated sessions are not via https, apart from contact us, and registration, login, passwrod recovery

AGREED: pay for mollom now until September, then revisit with bad behaviour and spam module in phase 5 in september

AGREED: Security agreement will mean logged in users on IE looking at maps could have the (in)secure warning. EM accepts in order to keep tight security for all others, particularly admin roles in unsecured connections

ACTION: EM minimise admin roles

ACTION: EM take screngrab for contact form

ACTION; JK pay for mollom and bill TN at end of phase (separate to Ttech invoice for work)

PHASE 5: open street map possibility

PHASE 5: Iceland hosting move possibility

PHASE 5: Bad Behaviour and Spam module review to replace mollom

comment:11 Changed 5 years ago by jim

FYI Both modules described in ticket:276#comment:6 have been enabled on live... The path cache is likely to much improve things...

comment:12 Changed 5 years ago by jim

Chris, do we think the No Anon Sessions module is any use? Have a suspicion it's incompatible with Pressflow, which itself uses 'lazy sessions'... Shall I remove it?

comment:13 Changed 5 years ago by chris

Yeah might as well -- it didn't stop anon session cookies in any case...

comment:14 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 1.95 to 2.05

We can't set this in Session 443 to Enabled if we want the contact form to be encrypted -- it results in a redirect loop, so I have turned it off.

Force HTTP for anonymous users: Disabled

https://dev.transitionnetwork.org/admin/settings/session443

comment:15 Changed 5 years ago by jim

It's gone and removed from SVN.

Understood re anon http... Perhaps a Drupal-level bit of code, something like: if viewing a node in HTTPS (ie not a system page or contact form) and not logged in, redirect to non HTTPS...?

comment:16 Changed 5 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 2.05 to 2.15

The forms for contacting users, eg:

http://dev.transitionnetwork.org/user/6/contact

Can be made HTTPS only with this rule:

  RedirectMatch /(.*)\/contact$ https://dev.transitionnetwork.org/$1/contact

Any other pages need to be HTTPS only?

comment:17 Changed 5 years ago by jim

user/login
user/registration
user/password

Can't think of any more at the mo...

comment:18 Changed 5 years ago by ed

ed has replaced the google map with an image
(tried it with open street map which returned an inaccurate result)

comment:19 Changed 5 years ago by ed

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.