Transition Technology: Ticket #276: HTTPS for all Authenticated Sessions

hours, totalhours changed

chris — Thu, 23 Jun 2011 10:42:25 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.0 to 0.25

The Session 443 module http://drupal.org/project/session443 is installed and enabled, there are no apache level redirects from http to https and the secure pages module isn't installed any more, so eveything should work OK... but...

One problem, if you login here:

https://dev.transitionnetwork.org/user/login

Two secure cookies are set, everything seems fine (apart from the ticket:277 which I'm ignoring for now).

Then if you visit the http version of the site, http://dev.transitionnetwork.org/ an insecure Drupal session cookie is set which then in effect logs you out from the site when you go back to a https page.

Perhaps the switch for varnish ticket:224 for port 80 and removing all session cookies at a varnish level would solve this, or perhaps it can be solved at a Drupal level?

Is there a way to not generate session cookies for anon users?

I'll do some searching...

jim — Thu, 23 Jun 2011 11:37:41 GMT

There's http://drupal.org/project/no_anon with side effects unknown (but I can't think of any off the top of my head) and further info here http://groups.drupal.org/node/66888

hours, totalhours changed

chris — Thu, 23 Jun 2011 11:51:59 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.25 to 0.35

There's http://drupal.org/project/no_anon with side effects unknown (but I can't think of any off the top of my head)

Ooh that sounds good, it would be nice if we didn't have to remove cookies at a Varnish level and this module could solve the issue with people being logged out, would you be OK installing this module so we can experiment with it?

jim — Thu, 23 Jun 2011 12:11:44 GMT

I've pushed the module through SVN to DEV, and enabled it.

hours, totalhours changed

chris — Thu, 23 Jun 2011 12:20:32 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.35 to 0.45

I've pushed the module through SVN to DEV, and enabled it.

Does it have an admin interface?

I'm still seeing cookies being set for anon users.

jim — Thu, 23 Jun 2011 12:53:06 GMT

No admin interface... I'm seeing session cookies only be created occasionally. Other cookies pop up, but they're from Google etc.

Actually Pressflow (as is now running on DEV and LIVE) provides two interesting modules:

Cookie cache bypass -Sets a cookie on form submission directing a reverse proxy to temporarily not serve cached pages for an anonymous user that just submitted content.
Path alias cache - A path alias implementation which adds a cache to the core version.

And apparently Pressflow already has lazy anon session creation - only when needed, which explains why the session cookie is only there sometimes (try deleting it in Chrome/whatever and moving around - only certain pages/operation create as session).

So I have a feeling this No Anon Session stuff is a dead end because a) Pressflow already minimises session creation (https://wiki.fourkitchens.com/display/PF/Comparison+-+Pressflow+versus+Drupal), b) We need anon sessions sometimes - like after a user sends a message, or for CAPTCHA etc, c) I have a suspicion more stuff will break, d) The module hasn't been touched for a long time and is effectively abandoned.

Soooo.... Shall we try to set up Varnish to allow a few cookies, perhaps enabling the above modules? Is that a huge PITA? What do you reckon?

hours, totalhours changed

chris — Thu, 23 Jun 2011 12:59:00 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.45 to 0.55

I'm seeing session cookies only be created occasionally.

That's now what I see, if I delete the browsers cookies for the domain and hit http://dev.transitionnetwork.org/ I get a session cookie set straight away.

We need anon sessions sometimes - like after a user sends a message, or for CAPTCHA etc

Shouldn't messages be sent only via HTTPS? And the same for CAPTCHA?

Shall we try to set up Varnish to allow a few cookies

Which ones? This is doable but I'm not sure it's necessary yet...

hours, totalhours changed

chris — Thu, 23 Jun 2011 13:06:09 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.55 to 0.65

I have added a Redirect for port 80 requests to /contact:

RedirectPermanent /contact https://dev.transitionnetwork.org/contact

To see if this works OK, does the map still work? No-script blocks it for me in any case.

hours, totalhours changed

chris — Thu, 23 Jun 2011 13:26:21 GMT

hours changed from 0.0 to 0.3
totalhours changed from 0.65 to 0.95

The contact form seems to work fine with HTTPS:

From: info@transitionnetwork.org
Date: Thu, 23 Jun 2011 14:06:48 +0100 (BST)
To: "Chris Croome" <chris@webarchitects.co.uk>
Subject: [General enquiry] Testing HTTPS on https://dev.transitionnetwork.org/
Thank you for your enquiry. We will get back to you shortly. If you don't get
an instant reply, don't panic! We have got a lot on our plates and we are
juggling most of them.
Thanks.

hours, totalhours changed

chris — Thu, 23 Jun 2011 14:27:55 GMT

hours changed from 0.0 to 1.0
totalhours changed from 0.95 to 1.95

Adding HTTPS meeting time and notes to the ticket:

AGREED: Security: all authenticated sessions via https

AGREED: Security: some exceptions for port 80 where cookies can be set to allow specific funct. to work

AGREED: Security: non-authenticated sessions are not via https, apart from contact us, and registration, login, passwrod recovery

AGREED: pay for mollom now until September, then revisit with bad behaviour and spam module in phase 5 in september

AGREED: Security agreement will mean logged in users on IE looking at maps could have the (in)secure warning. EM accepts in order to keep tight security for all others, particularly admin roles in unsecured connections

ACTION: EM minimise admin roles

ACTION: EM take screngrab for contact form

ACTION; JK pay for mollom and bill TN at end of phase (separate to Ttech invoice for work)

PHASE 5: open street map possibility

PHASE 5: Iceland hosting move possibility

PHASE 5: Bad Behaviour and Spam module review to replace mollom

jim — Thu, 23 Jun 2011 15:13:04 GMT

FYI Both modules described in ticket:276#comment:6 have been enabled on live... The path cache is likely to much improve things...

jim — Fri, 24 Jun 2011 12:24:05 GMT

Chris, do we think the No Anon Sessions module is any use? Have a suspicion it's incompatible with Pressflow, which itself uses 'lazy sessions'... Shall I remove it?

chris — Fri, 24 Jun 2011 12:32:55 GMT

Yeah might as well -- it didn't stop anon session cookies in any case...

hours, totalhours changed

chris — Fri, 24 Jun 2011 14:35:36 GMT

hours changed from 0.0 to 0.1
totalhours changed from 1.95 to 2.05

We can't set this in Session 443 to Enabled if we want the contact form to be encrypted -- it results in a redirect loop, so I have turned it off.

Force HTTP for anonymous users: Disabled

https://dev.transitionnetwork.org/admin/settings/session443

jim — Fri, 24 Jun 2011 15:44:30 GMT

It's gone and removed from SVN.

Understood re anon http... Perhaps a Drupal-level bit of code, something like: if viewing a node in HTTPS (ie not a system page or contact form) and not logged in, redirect to non HTTPS...?

hours, totalhours changed

chris — Mon, 27 Jun 2011 08:27:20 GMT

hours changed from 0.0 to 0.1
totalhours changed from 2.05 to 2.15

The forms for contacting users, eg:

http://dev.transitionnetwork.org/user/6/contact

Can be made HTTPS only with this rule:

  RedirectMatch /(.*)\/contact$ https://dev.transitionnetwork.org/$1/contact

Any other pages need to be HTTPS only?

jim — Mon, 27 Jun 2011 11:01:28 GMT

user/login user/registration user/password

Can't think of any more at the mo...

ed — Mon, 27 Jun 2011 13:20:38 GMT

ed has replaced the google map with an image (tried it with open street map which returned an inaccurate result)

status changed; resolution set

ed — Tue, 13 Sep 2011 15:25:15 GMT

status changed from new to closed
resolution set to fixed