Member Avatar for Dani

I've recently switched our login mechanism, and our API, over to SSL (https:// vs http://)

I am using the following:

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} danipad [NC,OR]
RewriteCond %{REQUEST_URI} api [NC,OR]
RewriteCond %{REQUEST_URI} members/join [NC,OR]
RewriteCond %{REQUEST_URI} members/login [NC,OR]
RewriteCond %{REQUEST_URI} members/edit_profile [NC,OR]
RewriteCond %{REQUEST_URI} members/edit_membership [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

My problem is that there are third-party applications that still make POST requests to the api (specifically, to retrieve an access token as part of the OAuth process). The problem is that 301 redirects do not preserve POST data. What kind of workaround can I implement that requires all API requests to connect over SSL while still being backwards compatible?

  • 4 Contributors
  • 8 Replies
  • 796 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by Assembly Guy

Recommended Answers

All 8 Replies

Member Avatar for rubberman

I suspect we do this with our mobile browsers. I'll have to ask one of my colleagues tomorrow and get back to you as I don't personally know the process. Send me a personal message as a reminder.

Member Avatar for rubberman

Sorry Dani - been up to my eyeballs so far this week - merger of Nokia and MS stuff... I am sending myself a "nag" to ask my colleagues about this tomorrow!

Member Avatar for Dani

Thanks!

Member Avatar for rubberman

Dani, what browser are you using? My people suggested that you try another, like Firefox which has good diagnostic and tracing tools to help determine what is going on. In any case, they think it is a browser issue most likely. In any case, we haven't seen this issue with our Mozilla-based proxy browsers.

Edited by rubberman
Member Avatar for JorgeM

I actually had something similar I was working on a few weeks ago with the 301 redirect. I wasnt working with posted data (actually exception data), but in any event I had to implement a server side redirect instead using a 301 because i would loose the exception with the 301. In asp.net this is accomplished using the Server.Transfer() method. Not sure about PHP or whatever other server side scripting you are doing.

Also, couldnt you just capture the post data, save it to a session variable(s), then redirect?

Edited by JorgeM
Member Avatar for rubberman

Good suggestions Jorge. I am writing a lot of PHP code these days, and you can do it in PHP on the server side. I was just hoping that someone knew a quick and easy approach for Dani, without requiring that she write a bunch more code. :-)

Member Avatar for Assembly Guy

I agree with using server-side redirection. When 301 and 302s are used, I see it as telling the user you know what page they want, but you're getting them to do the work and waste time mucking around to move to another URL, rather than just taking it within your stride and silently feeding them the appropriate content.

I see it as a waste of time. Yes, it's only a fraction of a second, but it adds up. Logging into and out of my Google Account takes a considerable amount of time while I wait for a handful of redirections to exeute.

I will, however, acknowledge that the preservation of post data across 301s is sometimes useful, but I can't come up with a situation off the top of my head where you couldn't simply copy $_POST across to $_SESSION and redirect.

I don't see Dani's as a situation requiring preservation of post data though (nothing personal, prove me wrong and so on). Since the data would've already been posted without being encrypted, you might as well get on with processing the login and returning a 301 redirect if appropriate.

Edited by Assembly Guy
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.