[SAC] Re: [OSGeo] #281: Redirect trac http to https

OSGeo trac_osgeo at osgeo.org
Sun Aug 3 01:39:29 EDT 2008 

#281: Redirect trac http to https
-----------------------+----------------------------------------------------
  Reporter:  timlinux  |       Owner:  sac at lists.osgeo.org
      Type:  task      |      Status:  new                
  Priority:  normal    |   Component:  SAC                
Resolution:            |    Keywords:                     
-----------------------+----------------------------------------------------
Comment (by crschmidt):

 Tim,

 Trac uses somewhat aggressive cookie-based caching that is sometimes
 somewaht difficult to get around. Sometimes, even after logging in, you'll
 still get an old "Permission Denied". The reason that switching to HTTPS
 fixes this is not because of something inherent in HTTPS, but simply
 because it's a *different* URL: If you were to make everything HTTPS, you
 would (I expect) see the same behavior.

 SSL requires additional round trips to the server: Frank is on a
 connection which is very high latency (which low bandwidth can cause, but
 generally doesn't directly) -- for Satellite, this latency is often in the
 .75s-1.5s range, which is a very different than the  latency even on very
 slow connections. (Dialup is typically only in the 250ms range, for
 example.) So, there is definitely a possibility that Frank's connection
 would be a 'worst case scenario' for this.

 I don't think that any of us are directly advocating for not making the
 login step HTTPS, simply ensuring that if you start at HTTP, login via
 HTTPS, you can still do your 'work' in HTTP: there is no particular
 security risk with this because trac doesn't use passwords directly other
 than for logging in. (It uses a cookie system to manage after that.)

 Hopefully this helps address some of the concerns here. I think that the
 main fix at the moment would be to change the 'login' links to always be
 HTTPS, so that users are typically sent through that mechanism.

-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/281#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

More information about the Sac mailing list