I am using rails 4.2.2, deploying to production on Heroku and using the free level of Cloudflare for ssl. In my production.rb file I have set
config.force_ssl = true
If I am not signed in as a user, then ssl works and I see the padlock in the browser url bar, and I see it for all unsigned-in pages. However, once I log into the site, the padlock disappears on all signed-in pages. When I am signed in and chose a different signed-in page, the padlock temporarily appears as the page is being loaded but then disappears when the loading is complete. All this happens on both Chrome and Safari. I am not using Devise.
What could be causing this?
If you are using devise, take a look at this:
https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS)
Thanks to the support team at Cloudflare, I was able to solve this.
The signed in users can use a gravatar, but the gravatar_image_tag was not being used with the secure setting. This meant the image was being transferred using http not https. This could be seen by looking at the developer console, which was displaying an error indicating the page was displaying with mixed http and https. In order to fix this problem, I just used the secure setting for the gravatar_image_tag.
In my case, the page accesses to some in-secure asserts (ex: images in AWS S3). Chrome Developer Console shows that the page is mixed-secured. Change S3 image links from http to https make ssl works.
Related
I have a rails app with sorcery for authentication. I'm trying to get Stripe checkout integrated but I'm seeing an issue with Safari. Works fine with Chrome and Firefox.
I can successfully create a Stripe hosted checkout page with the cancel url and the stripe js sends me there in the same browser tab. Problem is when I click on the cancel/back link on the checkout page it goes back to my app and punts me to the login page as it can't find the session and current_user is nil.
Funny thing is that on the login page if I simply type in the cancel url into the address bar it authenticates me successfully so it must find the original session/cookie.
Has anyone encountered this? Is it a caching issue? I see no errors in the log nor in the js console. Just this in the server log...
Filter chain halted as :require_login rendered or redirected
And it's nothing to do with Stripe either as I created a simple test.html page on another server and different domain with a link to the cancel url. Same result. I see the same issue going from https back to my localhost server as well as in a staging environment https -> https.
I've also cleared my Safari cache, history, cookies, restarted the browser and my computer and cleared the rails sessions table to no avail. I'm using activerecord session store but also tried with plain cookies.
Any hints/solutions would be appreciated. Thanks!
This is apparently a known bug with Safari as of Feb 19 2021. Safari won't send the cookie if it's set to Lax. Rails 6 defaults are lax now where < 6 is wasn't set.
I recently downgraded one of my Heroku apps to a free dyno - as a result, the SSL was revoked (cos I was using the SSL provided with a paid dyno). Now, when I visit my site URL, it gives me this error: ERR_SSL_PROTOCOL_ERROR
I've edited my production.rb file to set: config.force_ssl = false and published that code, but it still redirects my site to https when I try to connect on http.
Now, to complicate things:
This only applies to my custom domain - the .herokuapp.com domain works fine
It works fine on incognito mode on both the custom domain and the herokuapp.com domain
I've tried clearing the cookies and cache (for the last 7 days) and it still didn't work :/
Any ideas what I can do?
Edit:
In case it helps, I am using Chrome on Windows 10
Given that you are using Chrome, according to this answer, you need to follow these steps to stop Chrome from redirecting http:// to https://.
Anon is right about STS, but there is a way to specifically delete your domain from the set. Go to chrome://net-internals/#hsts. Enter 3rdrevolution.com under Delete domain security policies and press the Delete button.
Now go to chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.
I cloned the Shopify embeded app example and set my API key and secret and then authorized the app through Shopify. Now that I want to open the app in the admin panel (supposed to render index method of home controller) it shows nothing since the embedded app is trying to get a page with path: wss://argus.shopify.com/820222/register?token=foo&screen_sharing_support=true&user_name=Pooya%20M&guid=bar
This request is pending and does not finish.
What is wrong here and how can I fix this?
I fixed the problem. The problem of showing nothing was because of rendering an HTTP page from an HTTPS one (localhost is without SSL by default) .
Lgs were disabled in my inspector. I enabled error logs in my inspector, and I resolved the errors (one of them was this insecure rendering).
P.S: You can add SSL to localhost or disable the protection of your browser.
I'm running a Refinery CMS application that uses Devise as the plugin for logging in/authentication. The problem I am having is that Chrome/FF are working fine but IE is not logging the user in. At first, I believed it was that the SSL Certificate wasn't set up yet. After I fixed the SSL issue with Heroku, the problem remained.
Changing the privacy setting for cookies to "Accept all Cookies" is the only workaround I've found to fix this problem. This is problematic because I have to explain to my clients why their IE browser isn't working and at the same time they have to expose themselves to 3rd party cookies if they use this browser for other internet applications.
Is there a configuration that I can set in Rails 3/Refinery/Devise that will remedy this issue?
Thanks!
I had a similar problem - fixed it by using a different session_store in config/initializers/session_store.rb
The :cookie_store default session store tries to store all session information on the browser (which is why you had to set the "Accept all Cookies" in IE). As an example I set my session store to :active_record_store and it solved the login issues.
Coincidentally, I had this problem with IE8, but IE9 and IE10 didn't seem to have the same problem.
I have a Facebook app page and a rails application. My rails application loads a dynamic page based on a key that is given. This works fine and dandy outside of my facebook app:
https://app.eventsent.net/event_lists/3d40ba2a4a10947c17c2337fba3421dd406cceb5?frame=true
However inside of Facebook the page is pulling up as a 404 error:
https://www.facebook.com/reynoldsdesignstudio/app_419134091467471
I have gotten around this issue by creating a static file within my system to be able to have facebook view it however this is not ideal as deploying the rails app with updates makes modifying these static pages a pain.
Any help on this would be great.
We got this figured out by changing the routes file to allow for a post request instead of just a get request
Your problem is not related to dynamic/static content. Also Facebook is showing a 501 error, not a 404. In short, your SSL cert is not valid for the staging.app subdomain you are pointing your Facebook page at.
Visiting your Facebook page (https://www.facebook.com/reynoldsdesignstudio/app_419134091467471) yields this error:
This webpage is not available
The webpage at https://staging.app.eventsent.net/event_lists/3d40ba2a4a10947c17c2337fba3421dd406cceb5.html might be temporarily down or it may have moved permanently to a new web address.
Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.
Note that the subdomain is staging.app. If you happen to be using Firefox, you get a nice error message the spells everything out:
This Connection is Untrusted
You have asked Firefox to connect securely to staging.app.eventsent.net, but we can't confirm that your connection is secure.
staging.app.eventsent.net uses an invalid security certificate.
The certificate is only valid for the following names:
app.eventsent.net , www.app.eventsent.net
(Error code: ssl_error_bad_cert_domain)
The easiest solution would be to get a WildCard SSL certificate that is valid for *.eventsent.net.
FYI, if you visit https://staging.app.eventsent.net/event_lists/3d40ba2a4a10947c17c2337fba3421dd406cceb5?frame=true, you will get a rather dire-looking warning from your browser. If you ignore the warning and tell the browser to accept the certificate, your Facebook page will then load fine in the same browser.