Ticket #276 (closed defect: fixed)
HTTPS for all Authenticated Sessions
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Phase 4 |
| Component: | Drupal modules & settings | Keywords: | |
| Cc: | ed,jim | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 2.15 |
Description
I'm starting a separate ticked on this so it's easier to track, some previous discussion is on ticket:224#comment:8
Change History
comment:1 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
comment:2 Changed 5 years ago by jim
There's http://drupal.org/project/no_anon with side effects unknown (but I can't think of any off the top of my head) and further info here http://groups.drupal.org/node/66888
comment:3 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.25 to 0.35
There's http://drupal.org/project/no_anon with side effects unknown (but I can't think of any off the top of my head)
Ooh that sounds good, it would be nice if we didn't have to remove cookies at a Varnish level and this module could solve the issue with people being logged out, would you be OK installing this module so we can experiment with it?
comment:5 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.35 to 0.45
I've pushed the module through SVN to DEV, and enabled it.
Does it have an admin interface?
I'm still seeing cookies being set for anon users.
comment:6 Changed 5 years ago by jim
No admin interface... I'm seeing session cookies only be created occasionally. Other cookies pop up, but they're from Google etc.
Actually Pressflow (as is now running on DEV and LIVE) provides two interesting modules:
- Cookie cache bypass -Sets a cookie on form submission directing a reverse proxy to temporarily not serve cached pages for an anonymous user that just submitted content.
- Path alias cache - A path alias implementation which adds a cache to the core version.
And apparently Pressflow already has lazy anon session creation - only when needed, which explains why the session cookie is only there sometimes (try deleting it in Chrome/whatever and moving around - only certain pages/operation create as session).
So I have a feeling this No Anon Session stuff is a dead end because a) Pressflow already minimises session creation (https://wiki.fourkitchens.com/display/PF/Comparison+-+Pressflow+versus+Drupal), b) We need anon sessions sometimes - like after a user sends a message, or for CAPTCHA etc, c) I have a suspicion more stuff will break, d) The module hasn't been touched for a long time and is effectively abandoned.
Soooo.... Shall we try to set up Varnish to allow a few cookies, perhaps enabling the above modules? Is that a huge PITA? What do you reckon?
comment:7 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.45 to 0.55
I'm seeing session cookies only be created occasionally.
That's now what I see, if I delete the browsers cookies for the domain and hit http://dev.transitionnetwork.org/ I get a session cookie set straight away.
We need anon sessions sometimes - like after a user sends a message, or for CAPTCHA etc
Shouldn't messages be sent only via HTTPS? And the same for CAPTCHA?
Shall we try to set up Varnish to allow a few cookies
Which ones? This is doable but I'm not sure it's necessary yet...
comment:8 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.55 to 0.65
I have added a Redirect for port 80 requests to /contact:
RedirectPermanent /contact https://dev.transitionnetwork.org/contact
To see if this works OK, does the map still work? No-script blocks it for me in any case.
comment:9 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.3
- Total Hours changed from 0.65 to 0.95
The contact form seems to work fine with HTTPS:
From: info@transitionnetwork.org Date: Thu, 23 Jun 2011 14:06:48 +0100 (BST) To: "Chris Croome" <chris@webarchitects.co.uk> Subject: [General enquiry] Testing HTTPS on https://dev.transitionnetwork.org/ Thank you for your enquiry. We will get back to you shortly. If you don't get an instant reply, don't panic! We have got a lot on our plates and we are juggling most of them. Thanks.
comment:10 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 1.0
- Total Hours changed from 0.95 to 1.95
Adding HTTPS meeting time and notes to the ticket:
AGREED: Security: all authenticated sessions via https
AGREED: Security: some exceptions for port 80 where cookies can be set to allow specific funct. to work
AGREED: Security: non-authenticated sessions are not via https, apart from contact us, and registration, login, passwrod recovery
AGREED: pay for mollom now until September, then revisit with bad behaviour and spam module in phase 5 in september
AGREED: Security agreement will mean logged in users on IE looking at maps could have the (in)secure warning. EM accepts in order to keep tight security for all others, particularly admin roles in unsecured connections
ACTION: EM minimise admin roles
ACTION: EM take screngrab for contact form
ACTION; JK pay for mollom and bill TN at end of phase (separate to Ttech invoice for work)
PHASE 5: open street map possibility
PHASE 5: Iceland hosting move possibility
PHASE 5: Bad Behaviour and Spam module review to replace mollom
comment:11 Changed 5 years ago by jim
FYI Both modules described in ticket:276#comment:6 have been enabled on live... The path cache is likely to much improve things...
comment:12 Changed 5 years ago by jim
Chris, do we think the No Anon Sessions module is any use? Have a suspicion it's incompatible with Pressflow, which itself uses 'lazy sessions'... Shall I remove it?
comment:13 Changed 5 years ago by chris
Yeah might as well -- it didn't stop anon session cookies in any case...
comment:14 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 1.95 to 2.05
We can't set this in Session 443 to Enabled if we want the contact form to be encrypted -- it results in a redirect loop, so I have turned it off.
Force HTTP for anonymous users: Disabled
https://dev.transitionnetwork.org/admin/settings/session443
comment:15 Changed 5 years ago by jim
It's gone and removed from SVN.
Understood re anon http... Perhaps a Drupal-level bit of code, something like: if viewing a node in HTTPS (ie not a system page or contact form) and not logged in, redirect to non HTTPS...?
comment:16 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 2.05 to 2.15
The forms for contacting users, eg:
http://dev.transitionnetwork.org/user/6/contact
Can be made HTTPS only with this rule:
RedirectMatch /(.*)\/contact$ https://dev.transitionnetwork.org/$1/contact
Any other pages need to be HTTPS only?
comment:17 Changed 5 years ago by jim
user/login
user/registration
user/password
Can't think of any more at the mo...
comment:18 Changed 5 years ago by ed
ed has replaced the google map with an image
(tried it with open street map which returned an inaccurate result)
The Session 443 module http://drupal.org/project/session443 is installed and enabled, there are no apache level redirects from http to https and the secure pages module isn't installed any more, so eveything should work OK... but...
One problem, if you login here:
https://dev.transitionnetwork.org/user/login
Two secure cookies are set, everything seems fine (apart from the ticket:277 which I'm ignoring for now).
Then if you visit the http version of the site, http://dev.transitionnetwork.org/ an insecure Drupal session cookie is set which then in effect logs you out from the site when you go back to a https page.
Perhaps the switch for varnish ticket:224 for port 80 and removing all session cookies at a varnish level would solve this, or perhaps it can be solved at a Drupal level?
Is there a way to not generate session cookies for anon users?
I'll do some searching...