FAQ
Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie,
which is great when you're rolling cookies by hand in your code.

But how do you set a secure cookie in the context of a myapp.conf setup?

<session>
flash_to_stash = 1
dbic_class = MyApp::Session
expires = 3600
cookie_secure = 1 # just kidding
</session>

That's not doing the trick. Which doc reveals the right mojo?

===

This is in pursuit of stopping the Explorer error "This page contains both
secure and nonsecure items..." Other than the doctype and the <html
xmlns=""> attribute, we can't find any http:// references, even looking in
css @import and url() ... so the next culprit seems to be the nonsecure
cookie. Other guidance is more than welcome!


--
The first step towards getting somewhere is to decide that you are not going
to stay where you are. -- J.P.Morgan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110220/65d82804/attachment.htm

Search Discussions

  • Jason Galea at Feb 21, 2011 at 6:08 am
    you're not using a non-ssl cdn for your javascript libraries? (had me
    searching once..)

    On Mon, Feb 21, 2011 at 1:32 PM, will trillich
    wrote:
    Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie,
    which is great when you're rolling cookies by hand in your code.
    But how do you set a secure cookie in the context of a myapp.conf setup?
    <session>
    ?? ?flash_to_stash = 1
    ?? ?dbic_class ? ? = MyApp::Session
    ?? ?expires ? ? ? ?= 3600
    ?? ?cookie_secure = 1 # just kidding
    </session>
    That's not doing the trick. Which doc reveals the right mojo?
    ===
    This is in pursuit of stopping the Explorer error "This page contains both
    secure and nonsecure items..." Other than the doctype and the <html
    xmlns=""> attribute, we can't find any http:// references, even looking in
    css @import and url() ... so the next culprit seems to be the nonsecure
    cookie. Other guidance is more than welcome!

    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. ?-- J.P.Morgan

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    Jason Galea
    Web Developer

    Ph 07 40556926
    Mob 04 12345 534
    www.eightdegrees.com.au
  • Róbert Oroszi at Feb 21, 2011 at 2:06 pm
    if you're using non-ssl javascript cdn you should embed javascript ( or css
    ) like this:

    <script type="text/javascript" src="//code.jquery.com/jquery-latest.min.js
    "></script>

    "//" - its a protocolless javascript embedding technique :)

    good luck :)

    ps: it works with images, css, javascript too

    2011/2/21 Jason Galea <lists@eightdegrees.com.au>
    you're not using a non-ssl cdn for your javascript libraries? (had me
    searching once..)

    On Mon, Feb 21, 2011 at 1:32 PM, will trillich
    wrote:
    Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie,
    which is great when you're rolling cookies by hand in your code.
    But how do you set a secure cookie in the context of a myapp.conf setup?
    <session>
    flash_to_stash = 1
    dbic_class = MyApp::Session
    expires = 3600
    cookie_secure = 1 # just kidding
    </session>
    That's not doing the trick. Which doc reveals the right mojo?
    ===
    This is in pursuit of stopping the Explorer error "This page contains both
    secure and nonsecure items..." Other than the doctype and the <html
    xmlns=""> attribute, we can't find any http:// references, even looking in
    css @import and url() ... so the next culprit seems to be the nonsecure
    cookie. Other guidance is more than welcome!

    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    Jason Galea
    Web Developer

    Ph 07 40556926
    Mob 04 12345 534
    www.eightdegrees.com.au

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110221/2d2eb072/attachment.htm
  • Will Trillich at Feb 21, 2011 at 2:11 pm
    That's a neat trick -- hadn't heard of that one before. But the javascript
    isn't our "nonsecure-items" problem.


    2011/2/21 Oroszi, Róbert <robert@oroszi.net>
    if you're using non-ssl javascript cdn you should embed javascript ( or css
    ) like this:

    <script type="text/javascript" src="//code.jquery.com/jquery-latest.min.js
    "></script>

    "//" - its a protocolless javascript embedding technique :)

    good luck :)

    ps: it works with images, css, javascript too

    2011/2/21 Jason Galea <lists@eightdegrees.com.au>

    you're not using a non-ssl cdn for your javascript libraries? (had me
    searching once..)

    On Mon, Feb 21, 2011 at 1:32 PM, will trillich
    wrote:
    Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie,
    which is great when you're rolling cookies by hand in your code.
    But how do you set a secure cookie in the context of a myapp.conf setup?
    <session>
    flash_to_stash = 1
    dbic_class = MyApp::Session
    expires = 3600
    cookie_secure = 1 # just kidding
    </session>
    That's not doing the trick. Which doc reveals the right mojo?
    ===
    This is in pursuit of stopping the Explorer error "This page contains both
    secure and nonsecure items..." Other than the doctype and the <html
    xmlns=""> attribute, we can't find any http:// references, even looking in
    css @import and url() ... so the next culprit seems to be the nonsecure
    cookie. Other guidance is more than welcome!

    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    Jason Galea
    Web Developer

    Ph 07 40556926
    Mob 04 12345 534
    www.eightdegrees.com.au

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/

    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110221/fcee333a/attachment.htm
  • Ashley Pond V at Feb 21, 2011 at 2:38 pm

    On Mon, Feb 21, 2011 at 6:11 AM, will trillich wrote:
    That's a neat trick -- hadn't heard of that one before. But the javascript
    isn't our "nonsecure-items" problem.
    Protocol free // isn't a javascript specific technique while we're on
    it. It simply means use the protocol that's currently in action. It
    will work for images and such as well as long as your server can send
    them secured. This technique was gaining traction 10 years ago but
    doesn't seem to get much use today.
  • Bill Moseley at Feb 21, 2011 at 4:08 pm
    2011/2/21 Oroszi, Róbert <robert@oroszi.net>
    if you're using non-ssl javascript cdn you should embed javascript ( or css
    ) like this:

    <script type="text/javascript" src="//code.jquery.com/jquery-latest.min.js
    "></script>

    "//" - its a protocolless javascript embedding technique :)

    good luck :)
    IIRC, I tried this on a site a few years back and changed back --
    unfortunately, for a reason that I can't remember now. Maybe it was related
    to this:

    http://www.stevesouders.com/blog/2010/02/10/5a-missing-schema-double-download/

    (and linked from above)
    http://www.flickr.com/photos/jongalloway/4951687517/lightbox/
    http://php5.skauti-pardubice.cz/IE7-missing-scheme-bug.php

    I don't have IE8 here. Can anyone confirm?



    --
    Bill Moseley
    moseley@hank.org
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110221/c5dee853/attachment.htm
  • Will Trillich at Feb 21, 2011 at 2:09 pm
    Nope it's not the javascript. Searching view-source for "http://" shows only
    DOCTYPE, xmlns, <!-- comments --> and links to other/external websites.

    The session cookie does show as non-secure, so that's why we're thinking
    it's the main culprit.

    Otherwise, is there a tool out there that helps discover what Explorer is
    griping about when it says "this page contains both secure and nonsecure
    items..."?


    On Mon, Feb 21, 2011 at 12:08 AM, Jason Galea wrote:

    you're not using a non-ssl cdn for your javascript libraries? (had me
    searching once..)

    On Mon, Feb 21, 2011 at 1:32 PM, will trillich
    wrote:
    Catalyst::Plugin::Session::State::Cookie shows how to make a secure cookie,
    which is great when you're rolling cookies by hand in your code.
    But how do you set a secure cookie in the context of a myapp.conf setup?
    <session>
    flash_to_stash = 1
    dbic_class = MyApp::Session
    expires = 3600
    cookie_secure = 1 # just kidding
    </session>
    That's not doing the trick. Which doc reveals the right mojo?
    ===
    This is in pursuit of stopping the Explorer error "This page contains both
    secure and nonsecure items..." Other than the doctype and the <html
    xmlns=""> attribute, we can't find any http:// references, even looking in
    css @import and url() ... so the next culprit seems to be the nonsecure
    cookie. Other guidance is more than welcome!

    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    Jason Galea
    Web Developer

    Ph 07 40556926
    Mob 04 12345 534
    www.eightdegrees.com.au

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110221/d3ed5bbb/attachment.htm
  • Carl Franks at Feb 21, 2011 at 3:15 pm

    On 21 February 2011 14:09, will trillich wrote:
    Nope it's not the javascript. Searching view-source for "http://" shows only
    DOCTYPE, xmlns, <!-- comments --> and links to other/external websites.
    The session cookie does show as non-secure, so that's why we're thinking
    it's the main culprit.
    Otherwise, is there a tool out there that helps discover what Explorer is
    griping about when it says "this page contains both secure and nonsecure
    items..."?
    Hi,

    It shouldn't matter that it's not a secure cookie - that's just a flag
    that tells the browser it shouldn't send the cookie back to the same
    domain on any non-SSL requests.
    Cookies are sent as part of a request/response for a URL - so it's a
    URL that's the problem, not a cookie.

    I recommend you try viewing the page in a browser that will let you
    see all network requests - e.g. firefox with the firebug plugin
    running.

    Carl
  • Will Trillich at Feb 21, 2011 at 4:11 pm
    Thanks for the cookie back-story, Carl. We're looking into a firefoxy
    diagnosis.

    On Mon, Feb 21, 2011 at 9:15 AM, Carl Franks wrote:
    On 21 February 2011 14:09, will trillich wrote:
    Nope it's not the javascript. Searching view-source for "http://" shows only
    DOCTYPE, xmlns, <!-- comments --> and links to other/external websites.
    The session cookie does show as non-secure, so that's why we're thinking
    it's the main culprit.
    Otherwise, is there a tool out there that helps discover what Explorer is
    griping about when it says "this page contains both secure and nonsecure
    items..."?
    Hi,

    It shouldn't matter that it's not a secure cookie - that's just a flag
    that tells the browser it shouldn't send the cookie back to the same
    domain on any non-SSL requests.
    Cookies are sent as part of a request/response for a URL - so it's a
    URL that's the problem, not a cookie.

    I recommend you try viewing the page in a browser that will let you
    see all network requests - e.g. firefox with the firebug plugin
    running.

    Carl

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110221/5231f2ad/attachment.htm
  • John Romkey at Feb 21, 2011 at 5:16 pm
    Not sure if someone's suggested this so far, but perhaps one of the resources you're including using https: is getting a redirect back to a non-SSL URL?
    - john romkey
    http://www.romkey.com/
  • Adam Sjøgren at Feb 21, 2011 at 9:38 pm

    On Mon, 21 Feb 2011 15:15:17 +0000, Carl wrote:

    I recommend you try viewing the page in a browser that will let you
    see all network requests - e.g. firefox with the firebug plugin
    running.
    Another nice tool is included in Chrom{e,ium} under Tools ? Developer
    Tools, where - if you load an https-page, you get a little warning-sign
    and a number in the bottom-right corner, which, when clicked, pops up a
    list showing exactly what Chrome{e,ium} fetched that was insecure.

    Example screenshot:

    * http://koldfront.dk/misc/browsers/chromium-insecure-content.png


    Best regards,

    Adam

    --
    "Examination and mastering of a new highly Adam Sj?gren
    intellectual equipment was a hard labour." asjo@koldfront.dk
  • Will Trillich at Feb 21, 2011 at 11:50 pm
    Okay -- we'd tried this approach using Chrome already, and it is not showing
    *any* http:// requests from the https:// page.

    Life HTTP Headers (FireFox) shows either https://server.name/path requests
    or server-relative /path requests. Period.

    Same url, yet internet explorer complains... I've got a knack for finding
    weird stuff like this. Anybody else seen this?


    On Mon, Feb 21, 2011 at 3:38 PM, Adam Sjøgren wrote:
    On Mon, 21 Feb 2011 15:15:17 +0000, Carl wrote:

    I recommend you try viewing the page in a browser that will let you
    see all network requests - e.g. firefox with the firebug plugin
    running.
    Another nice tool is included in Chrom{e,ium} under Tools → Developer
    Tools, where - if you load an https-page, you get a little warning-sign
    and a number in the bottom-right corner, which, when clicked, pops up a
    list showing exactly what Chrome{e,ium} fetched that was insecure.

    Example screenshot:

    * http://koldfront.dk/misc/browsers/chromium-insecure-content.png


    Best regards,

    Adam

    --
    "Examination and mastering of a new highly Adam Sjøgren
    intellectual equipment was a hard labour." asjo@koldfront.dk

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive:
    http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/


    --
    The first step towards getting somewhere is to decide that you are not going
    to stay where you are. -- J.P.Morgan
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110221/559eacc6/attachment.htm
  • Peter Karman at Feb 22, 2011 at 3:19 am

    will trillich wrote on 2/21/11 5:50 PM:
    Okay -- we'd tried this approach using Chrome already, and it is not showing
    *any* http:// requests from the https:// page.

    Life HTTP Headers (FireFox) shows either https://server.name/path requests or
    server-relative /path requests. Period.

    Same url, yet internet explorer complains... I've got a knack for finding weird
    stuff like this. Anybody else seen this?
    I've been bitten by this when the .js or .css I am loading will load an img.
    E.g., ExtJS loads a s.gif file by default from http and I have had to edit the
    .js file(s) to use a https version instead.

    --
    Peter Karman . http://peknet.com/ . peter@peknet.com

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedFeb 21, '11 at 3:32a
activeFeb 22, '11 at 3:19a
posts13
users9
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2022 Grokbase