Announcement

**SteveRiley** · Jun 17, 2014, 12:25 AM

Is this helpful?

http://stackoverflow.com/questions/8...-https-to-http

**Feathers McGraw** · Jun 17, 2014, 01:03 AM

Unfortunately not, I'm quite comfortable with redirecting the whole bucket, but I can't do that because I use a CAcert SSL certificate so most people would get browser errors when they visit the site - ~~I only want to redirect administrators~~ I want to redirect everyone apart from administrators.

I think my solution above works and the redirect was caused by caching errors. Perhaps if I change it to [R=302,L] the browser won't remember the redirect so if I log off (and the cookie is removed) and then visit a page again I won't end up in an eternal loop.

I also received some drupal specific solutions on the Drupal forum:

https://drupal.org/node/2284075

**SteveRiley** · Jun 17, 2014, 01:07 AM

Interesting use case.

Re: caching ... I've pretty much given up on trusting whether browsers cache stuff properly. I now disable caching on all browsers on all machines.

**Feathers McGraw** · Jun 17, 2014, 01:17 AM

But bandwidth!

**SteveRiley** · Jun 17, 2014, 01:35 AM

Yeah, what about it? *muches celery*

**Feathers McGraw** · Jun 17, 2014, 02:28 AM

Yikes! That's very speedy!

Do you also disable caching on your mobile?

**SteveRiley** · Jun 17, 2014, 01:48 PM

Most mobile browsers seem to lack the ability to disable the cache. But I do disable DNS prefetch, page prefetch, and similar predictive junk.

**Feathers McGraw** · Jun 17, 2014, 02:04 PM

Originally posted by SteveRiley View Post

But I do disable...page prefetch, and similar predictive junk.

Isn't chrome the only browser that does that? I've never really been comfortable with the idea of a browser preloading pages you didn't click on, it seems like that makes CSRF attacks and other nasties so much easier.

**Feathers McGraw** · Jun 17, 2014, 02:42 PM

Hmm, I've just re-read the early part of the conversation and my response to your link doesn't make much sense (I was tired this morning!). To clarify, the reason the solution in the link wouldn't solve my problem is because it would redirect everyone (including me), but I want to redirect everyone apart from authenticated users / people with that secure cookie, i.e. me.

Also, I've been testing it some more and it works for Rekonq and AOSP but not Firefox on Linux or Android.

The only change I made this time is to change R=permanent to R=302... so it looks like there's something different about FF, I'll look into cranking up the logging on Apache to see if I can figure out what it is.

Edit: this might be one for ModSecurity's debug logging, I think if I set it to 4 or higher I should get the information about cookies that I need:

https://github.com/SpiderLabs/ModSec...al#SecDebugLog

Edit AGAIN: So I just restarted my laptop after an update to FF and whereas I was getting redirected to http before despite being logged in, now everything is A-OK. I'm a little bit unsure what changed, because I cleared all private data before I shut down and it didn't seem to have an effect. More investigation tomorrow - if nothing else I'll learn something about debugging Apache & ModSecurity!

**Feathers McGraw** · Jun 18, 2014, 02:06 PM

So... I loosened the cookie regex slightly and it seems to have done the trick:

Code:

RewriteCond %{HTTP_COOKIE} !^.*SSESS612cb529d2dfaadfff38b8731a3a4c8a.*$ [NC]
RewriteCond %{THE_REQUEST}      !user [NC]
RewriteRule ^/(.*)          http://www.samhobbs.co.uk/$1 [R=302,L]

**SteveRiley** · Jun 28, 2014, 11:12 PM

Originally posted by Feathers McGraw View Post

Isn't chrome the only browser that does that?

Some other Android browsers do this. Dolphin, for example.

Your question got me curious about Firefox. Let's see...

Whhaaaat?

network.dns.disablePrefetch

As of version 3.5, Firefox supports DNS prefetching. This is a feature by which Firefox proactively performs domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.

network.prefetch-next

Link prefetching is a browser mechanism, which utilizes browser idle time to download or prefetch documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache.

Grrrr!

Shame on you, Mozilla, for not surfacing these controls in the Preferences dialogs!

**Feathers McGraw** · Jun 29, 2014, 03:32 AM

Hmmm... I wonder if it restricts prefetching to certain types of connection... if it does it on HTTPS it's essentially leaking some information about the content of the page you are viewing, because your browser will do a DNS lookup for every external link in the page...?

**Snowhog** · Jun 29, 2014, 03:40 PM

Originally posted by SteveRiley View Post

Grrrr!

Shame on you, Mozilla, for not surfacing these controls in the Preferences dialogs!

Thanks Steve. I've changed those settings just now.

**SteveRiley** · Jun 30, 2014, 11:40 PM

Originally posted by Feathers McGraw View Post

Hmmm... I wonder if it restricts prefetching to certain types of connection... if it does it on HTTPS it's essentially leaking some information about the content of the page you are viewing, because your browser will do a DNS lookup for every external link in the page...?

The Mozilla Developer Network page describing DNS prefetch says this about HTTPS:

Also, by default, prefetching of embedded link hostnames is not performed on documents loaded over HTTPS. This can be changed by setting the network.dns.disablePrefetchFromHTTPS preference to false.

The page about link prefetching is pretty clear that such fetches happen only if page developers include <link> tags or Link: headers. Both HTTP and HTTPS links can be prefetched. Note also the warnings about referrer headers and cookies:

Do prefetched requests contain a Referer: header?
Yes, prefetched requests include a HTTP Referer: header indicating the document from which the prefetching hint was extracted

Privacy implications
Along with the referral and URL-following implications already mentioned above, prefetching will generally cause the cookies of the prefetched site to be accessed. (For example, if you google amazon, the google results page will prefetch www.amazon.com, causing amazon cookies to be sent back and forth. You can block 3rd party cookies in Firefox, see Disabling third party cookies.)

We can infer from this that Google search results are full of <link> tags or Link: headers. Yet another reason to avoid Google it seems.

Announcement

A question about cookies

A question about cookies

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment