Force all connections to use SSL

[Ross Peoples]

A couple of projects I have created are required to run only over HTTPS. I have noticed that I am using this more and more and that I have seen a few questions in the user forum about this same thing. This also came about after running a PCI compliance test where SSL was being used, but secure.session() was not being called.

The way I currently make this happen is to put this at the bottom of my db.py file:

############ FORCED SSL #############

from gluon.settings import global_settings

if global_settings.cronjob:

    print 'Running as shell script.'

elif not request.is_https:

    session.secure()

    redirect('https://%s/%s' % (request.env.http_host, request.application))

#####################################

The benefit of this is that if you access the application over HTTP, it redirects the browser to HTTPS, and secures the session. This also make sure that cron jobs aren't affected.

Should we include something like this as a setting somewhere to make it easy for people to force their applications to only use SSL? Something like:

request.force_ssl = True

Thoughts?

[Ross Peoples]

Actually, making it a function:

request.force_ssl()

would probably be better.

[Jonathan Lundell]

BTW, something like URL(scheme='https', args=request.args, vars=request.vars) should give you a new https URL that points to the same location as the incoming one.

[Ross Peoples]

Good catch.

There is also another problem I noticed, which the PCI test caught, but I thought I had fixed: session.secure() does not seem to be working. I confirmed on Chrome and Firefox. Both browsers are telling me that the cookie should be sent for "Any type of connection".

This is my updated block:

############ FORCED SSL #############

from gluon.settings import global_settings

if global_settings.cronjob:

    print 'Running as shell script.'

elif not request.is_https:

    redirect(URL(scheme='https', args=request.args, vars=request.vars)

session.secure()

#####################################

[Massimo Di Pierro]

I would take a patch

--
mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/

[Ross Peoples]

I have attached the patch to this message.

[Anthony]

Since there's also TLS, should we call it something more generic, like request.force_secure()?

Anthony

[Massimo Di Pierro]

Nice job. I am adding it to trunk but I renamed it as request.requires_https()

On Dec 9, 2011, at 2:33 PM, Ross Peoples wrote:

I have attached the patch to this message.

--
mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/

<web2py-request-force_ssl.patch>