6

I was hoping to get some recommendations on how to approach redirecting users from HTTP to HTTPS using an ember initializer with ember-simple-auth.

`import ENV from 'cio/config/environment'`

SSLInitializer =
  name: 'ssl'
  before: 'simple-auth-cookie-store'
  initialize: (container, application) ->
    application.deferReadiness()

    # Redirect if hitting HTTP and SSL is enabled
    if ENV.SSL and window.location.protocol is "http:"
      window.location.href = "https:" + window.location.href.substring(window.location.protocol.length)
      return false

    application.advanceReadiness()

`export default SSLInitializer`

But it seems that the cookie gets invalidated even when the if statement evaluates to true. I've tried several things, including:

  • before: 'simple-auth'
  • before: 'store'
  • application.destroy() within the if statement, before the window.location.href is set

From what I can tell, after debugging. The app does redirect to HTTPS, but then the cookieName is not found in document.cookie. (https://github.com/simplabs/ember-simple-auth/blob/master/packages/ember-simple-auth-cookie-store/lib/simple-auth-cookie-store/stores/cookie.js#L154)

Before this method worked because we had simple snippet in the index.html, but w/ CSP we'd like to keep it in an initializer. Any recommendations?

Thanks!

alvincrespo
  • 9,224
  • 13
  • 46
  • 60
  • Why would you want to do this in an initializer and not from the server? Don't know whether you use an authorizer but if you are the server must not respond to any non-HTTPS requests anyway. – marcoow Dec 19 '14 at 15:20
  • All of the assets are served up in a CDN with a variety of AWS services (S3, Route53, etc...), so we don't really have an nginx or apache configuration that we can use. – alvincrespo Dec 19 '14 at 15:23
  • Yeah the UI just communicates with an API so the hosting of frontend assets are just served through a CDN. – alvincrespo Dec 19 '14 at 16:26
  • Are you setting the cookie with the secure flag? Maybe I'm not understanding what you mean by "cookie gets invalidated", can you elaborate a little? – mpowered Dec 29 '14 at 20:59

1 Answers1

4

You really should be forcing a redirect from HTTP to HTTPS from the server as doing it from the client does not add any real security.

Think about it, the user has downloaded the application to their browser from an insecure endpoint and from then on nothing can be trusted. Even a server based redirect is problematic since it relies on the redirect advice from an untrusted endpoint. Users should really be accessing things from an initial trusted starting point otherwise all bets are off. This is known as the secure referral problem and will likely never be solved because of the business model behind SSL certificates.

You also shouldn't really trust cookies from the untrusted HTTP domain in the trusted HTTPS domain unless you have a way to authenticate those cookies on the client. Sharing of cookies between HTTP/HTTPS is covered in RFC 2109 (Section 4.2.2 Set-Cookie Syntax).

This means:

  • A cookie set with "Secure" will be available only on HTTPS
  • A cookie set without "Secure" will be available on either HTTP or HTTPS.
Community
  • 1
  • 1
Andrew Hacking
  • 6,296
  • 31
  • 37