HTTP 302 Redirect from HTTP to HTTPS is possible invalid

XMLWordPrintable

    • Type: Bug
    • Resolution: Resolved Locally
    • Priority: Low
    • None
    • Affects Version/s: None
    • Component/s: None
    • None 

      $ wget -O - 'http://stash.acme.com/'
--2013-02-14 15:27:32--  http://stash.acme.com/
Resolving stash.acme.com... [skipped]
Connecting to stash.acme.com|xx.xx.xx.xx|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://stash.acme.com/login [following]
--2013-02-14 15:27:32--  https://stash.acme.com/login
Connecting to stash.acme.com|xx.xx.xx.xx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6056 (5.9K) [text/html]
Saving to: ‘STDOUT’

      See what happened:
      1. Browser send GET on HTTP (80 port), cookies does not send, cos cookies is setup for HTTPS domain.
      2. Stash not found remember_me and session cookie and send redirect to /login.
      3. Tomcat forward HTTP to HTTPS.

      As result user have page on HTTPS domain, with valid session cookies, but Stash show him 'Login' page as his is not logged in.

      Also see STASH-3118 — it for the same error but from other side.

            Assignee:
            Unassigned
            Reporter:
            Alexey Efimov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: