0

I've recently switched our login mechanism, and our API, over to SSL (https:// vs http://)

I am using the following:

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} danipad [NC,OR]
RewriteCond %{REQUEST_URI} api [NC,OR]
RewriteCond %{REQUEST_URI} members/join [NC,OR]
RewriteCond %{REQUEST_URI} members/login [NC,OR]
RewriteCond %{REQUEST_URI} members/edit_profile [NC,OR]
RewriteCond %{REQUEST_URI} members/edit_membership [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

My problem is that there are third-party applications that still make POST requests to the api (specifically, to retrieve an access token as part of the OAuth process). The problem is that 301 redirects do not preserve POST data. What kind of workaround can I implement that requires all API requests to connect over SSL while still being backwards compatible?

4
Contributors
8
Replies
45
Views
3 Years
Discussion Span
Last Post by Assembly Guy
0

I suspect we do this with our mobile browsers. I'll have to ask one of my colleagues tomorrow and get back to you as I don't personally know the process. Send me a personal message as a reminder.

0

Sorry Dani - been up to my eyeballs so far this week - merger of Nokia and MS stuff... I am sending myself a "nag" to ask my colleagues about this tomorrow!

0

Dani, what browser are you using? My people suggested that you try another, like Firefox which has good diagnostic and tracing tools to help determine what is going on. In any case, they think it is a browser issue most likely. In any case, we haven't seen this issue with our Mozilla-based proxy browsers.

Edited by rubberman

0

I actually had something similar I was working on a few weeks ago with the 301 redirect. I wasnt working with posted data (actually exception data), but in any event I had to implement a server side redirect instead using a 301 because i would loose the exception with the 301. In asp.net this is accomplished using the Server.Transfer() method. Not sure about PHP or whatever other server side scripting you are doing.

Also, couldnt you just capture the post data, save it to a session variable(s), then redirect?

Edited by JorgeM

0

Good suggestions Jorge. I am writing a lot of PHP code these days, and you can do it in PHP on the server side. I was just hoping that someone knew a quick and easy approach for Dani, without requiring that she write a bunch more code. :-)

0

I agree with using server-side redirection. When 301 and 302s are used, I see it as telling the user you know what page they want, but you're getting them to do the work and waste time mucking around to move to another URL, rather than just taking it within your stride and silently feeding them the appropriate content.

I see it as a waste of time. Yes, it's only a fraction of a second, but it adds up. Logging into and out of my Google Account takes a considerable amount of time while I wait for a handful of redirections to exeute.

I will, however, acknowledge that the preservation of post data across 301s is sometimes useful, but I can't come up with a situation off the top of my head where you couldn't simply copy $_POST across to $_SESSION and redirect.

I don't see Dani's as a situation requiring preservation of post data though (nothing personal, prove me wrong and so on). Since the data would've already been posted without being encrypted, you might as well get on with processing the login and returning a 301 redirect if appropriate.

Edited by Assembly Guy

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.