/ Zope / Apsis / Pound Mailing List / Archive / 2004 / 2004-12 / best approach

[ << ] [ >> ]

[ newbie config help... / "5pit00n" ... ] [ Wrong :port in Host: / Dmitry Dvoinikov ... ]

best approach
Brook Stevens <bstevens(at)Cleanwise.com>		 2004-12-06 22:53:29 [ FULL ] 
I have an application that we want to have certain resources protected.  My
thought is to add a header to indicate whether the request was made under
SSL and redirect accordingly.  This means I need to modify my application to
be able to interpret this header (is "X-SSL-Request: true" a standard
header?).  I am wondering if there is a better way of doing this.  I also
need to maintain session context between the SSL request and the regular
request, so I believe I need to have one instance of pound and one URL group
so that users are sent to the same backend.

-Brook
Re: best approach
Robert Segall <roseg(at)apsis.ch>		 2004-12-08 12:21:30 [ FULL ] 
On Monday 06 December 2004 22.53, Brook Stevens wrote:[...]

You are pretty much free to add any header you wish, as long as it is 
correctly formed. X-SSL-whatever is fine. The HTTPSHeaders directive allows 
you to do exactly this.

You don't need to worry about the SSL session - that is managed by Pound at 
the SSL level and has nothing to do with the HTTP session (protocol vs. 
application level). Sessions are kept the same way in HTTP and HTTPS - in 
fact you can do both at once.

It is not unusual for applications to have a bit of code that checks if a 
connection was made via HTTPS, and if not reply with a redirect or error. 
Using a separate host name might be an improvement.[...]
MailBoxer