[ic] Detecting a secure page

Kevin Walsh kevin at cursor.biz
Mon Jun 12 15:14:28 EDT 2006 

JT Justman <jt-lists at sirius.airdelights.com> wrote:
> Kevin Walsh wrote:
> > > Here's some version info:
> > >
> > > apache-2.0.55-r1
> > > mod_perl-2.0.2
> > > interchange-5.2.0
> > > Interchange::Link-1.9
> > >
> > It would be interesting to see what environment variables you do get
> > from [env] and which of the above packages causes the HTTPS variable
> > to not get set in the environment for secure pages.  A package and
> > version comparison with others who have the same problem will help
> > here.
> > 
> Well, I'm running:
> 
> apache-2.0.52
> mod_perl-2.0.2
> interchange-5.5.0-200605220658
> 
> I use mod_rewrite to fix urls and prevent access to sensitive pages via
> http. Ie, a different set of rewrites for the SSL VirtualHost.
> 
> [env SERVER_PORT] - works correctly
> [if session shost] - works correctly
> $CGI::secure appears to be undefined.
> 
> Looking at the apache2 mod_ssl docs, the environment variable has been
> changed from 'SSL' to 'HTTPS'. There are others, but it seems that HTTPS
> is the one to test.
> 
HTTPS is fine.  The HTTPS environment variable is used by Interchange
to set the $CGI::secure variable.  I don't think we've ever used the
SSL environment variable.

>
> [if session shost] - works correctly
>
That's weird, as shost is set like this, in Vend::Session::init_session():

    $Vend::Session->{shost} = $CGI::remote_addr
        if $CGI::secure;

If $CGI::secure is not set when the secure session is initialised then
$Vend::Session->{shost} would not be initialised.  The Session's "shost"
key is not an indication of whether or not the current page was requested
via SSL, by the way.

So far, the common denominator is Apache 2 and mod_perl equals no
$CGI::secure on some occasions (not always, it seems).  Apache 1 and
mod_interchange works correctly.  It would be nice to narrow that down
to either Apache 2 or mod_perl, so it would be good to hear from someone
who's using either mod_perl with Apache 1 or vlink/tlink with Apache 2.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin at cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/

More information about the interchange-users mailing list