Rails Devise SSL Session Mix Up on Production - ruby-on-rails

I've deployed my app on to a Ubuntu VPS using Capistrano, nginx/
Passenger and a wildcard SSL certificate.
The app works fine on development and my staging environment on
Heroku.
However, there are two problems on production when users sign into the
site using a secure page.
On latest Chrome and Firefox the browsers start to enforce HTTPS
requests on every single request every time. Regardless if the user is
signed in or not. Even if I disable SSL on nginx the browser still attempts HTTPS and complains it cannot connect. The main page serves some insecure dynamic embedded
items and uses an insecure CDN so I would like to serve that page as non-
SSL. Whenever I tried to redirect a page to non-SSL either through
nginx rewrite or a before filter in Rails it will cause an infinite
redirect loop.
Safari does not have the first problem as above it respects both
HTTPS and HTTP requests. However, when the user has logged in and
browses to a non-SSL page they are signed out or lose the session
instantly.
Has anyone encountered such a problem before or have an idea on how I could diagnose/fix the problem?
Thanks

Were you using Rails 3.1 force_ssl to enable SSL, or a gem?
When you enabled HTTPS, you also enabled the the HTTP Strict Transport Security flag, which the browse uses to immediately go to any HTTPS page on that domain before it sends the request to the server.
On Chrome, enter chrome://net-internals/#hsts into your browser and then you can delete your domain from the HSTS list which should fix it for Chrome. Can't speak for Firefox as I don't use it that often.
The issue with it losing session is likely because Rails is setting the authentication cookie as secure which means they are only sent for HTTPS requests and not HTTP. Make sure your cookie_options in Rails are not setting :secure => true. Also check the Devise cookie_options setting to ensure that :secure => true isn't being set.

Related

Apex domains on heroku

I've got a site that was originally running on a non-heroku server that I moved to heroku. The site was using a bare domain before (example.com). Heroku requires non-bare domains (www.example.com) as per this article: https://devcenter.heroku.com/articles/apex-domains
My question is: I have a bunch of links out there currently like this: https://example.com which throw a browser error now that I am using non-bare domains.
This excerpt from heroku confirms the error is widespread.
SSL
Traffic routed over SSL behaves, at the DNS level, identical to unencrypted traffic and suffers from the same naked domain limitations.
However, applications requiring SSL encryption should use the ALIAS/ANAME configuration on the root domain. Subdomain redirection will cause a browser error when the root domain is requested over SSL (i.e. https://example.com).
How can I redirect people to the right domain without them experiencing a browser error?
EDIT:
I emailed heroku and this was their response:
I'm afraid only the ALIAS/ANAME style records will be able to reference an SSL endpoint at the apex and from my understanding Namecheap do not support those record types. We have a few examples for various providers here. But if your domain provider doesn't support ALIAS/ANAME we can only recommend you switch to another provider that does. A URL redirector doesn't work for SSL, the CNAME type breaks email, and raw A records can break after only a few minutes.
So I moved providers from Namecheap to Cloudflare, CNAME'd instead of redirected, and everything now works as expected.
If you don't have an SSL endpoint provisioned then your visitors will get a 'certificate mismatch' error as Heroku will serve their default herokuapp.com certificate. You can't redirect https without a valid certificate as browsers first check the validity of the certificate. If you're moving to Heroku and want to respond to those requests you will need a valid certificate, SSL endpoint provisioned and a DNS provider that supports using CNAMEs on Apex records.

Rails and Devise: set Secure flag when requested via HTTPS, don't set Secure flag when not requested via HTTPS

I manage a Rails 4.2 application which runs dual stack: SSL and Non-SSL. I'd like to set the Secure flag for cookies when the resource is requested via HTTPS and I want to leave out the flag when the resource is requested via plain HTTP.
Is there a way to achieve this in Rails (session cookie, cookies sent manually in the Code)? And especially when using Devise with rememberable enabled.
I know this is a late response, but I'm currently looking into the same thing and it seems https://github.com/mobalean/devise_ssl_session_verifiable should automate this for you, although it uses a different approach (regular session cookie over http + https, but an additional secure cookie in https, so that someone hijacking your session cannot access your https-only resources.

Force SSL and url encryption in rails

In a rails app I am setting
config.force_ssl=true
This is working great, but I am concerned about a situation where a gem I am using redirects to a url in the following format:
http://example.com/secure_url?secret_token=abc
Rails then redirects to
https://example.com/secure_url?secret_token=abc
However, I'm worried that the secret_token will be exposed during the original http request before it is redirected to a secure connection. Is this a legitimate security concern?

Redirect mysite.com to www.mysite.com with SSL wildcard before security warning

I have an SSL wildcard for my rails site through DNSimple, and have deployed to Heroku.
I have smoothly functioning full-site SSL for all subdomains of my site, except for when I enter my site name without a subdomain into a browser for the first time.
Although my Heroku settings redirects http://mysite.com to https://www.mysite.com, the browser pops up a security warning first, because the SSL certificate for *mysite.com requires a subdomain.
Is there a way to redirect from no subdomain to with subdomain before checking for the security certificate?
This is a substantial issue, as it's unreasonable to require/expect first time visitors to type in www before the site name.
you can use subdomain redirection: https://devcenter.heroku.com/articles/avoiding-naked-domains-dns-arecords#subdomain-redirection
but I think only with the www form, as it warns:
Requests made directly to naked domains via SSL (i.e.
https://mydomain.com) will encounter a warning when using subdomain
redirection. This is expected and can be avoided by only circulating
and publicizing the subdomain format of your secure URL.

How to redirect a url like https://mydomain.com to https://www.mydomain.com from within Rails

I am using a SSL cert for www.mydomain.com from GoDaddy on Heroku. How can I redirect from the root url, https: //mydomain.com to https: //www.mydomain.com from within rails so my cert will work? I have been able to redirect all other combination with custom middleware, so that SSL is always serverd, but can't figure out how to do this without the browser detecting the lack of a cert for https://mydomain.com/. Is there something like a rack env[HOST] that I can rewrite? Thanks in advance....
The browser compares the cert to the domain name way before Rails even gets a chance to touch it - in fact, it's the very first part of the negotiation with the server, so you can't even use Apache Rewrite to change it.
What you should do is add mydomain.com to your cert. They're called "unified communications" certificate, although GoDaddy just calls them a Multiple Domain cert. http://help.godaddy.com/article/3908

Resources