Geek Answers Handbook

How should I make sure all Devise paths use https?

Related: Rails 3 forwarding SSL routing from https to http (unfortunately, it does not work).

Duplicate, but the answer didnโ€™t work for me: ssl setup during development

I have a web application that has been working fine for a while, but I need to add SSL in the acct login / edit path. I use Devise for authentication. I found a wiki entry that made the process pretty simple, but hell if I could get it to work. The simple part was as follows:

#in config/environments/production.rb config.to_prepare { Devise::SessionsController.force_ssl } config.to_prepare { Devise::RegistrationsController.force_ssl }

And then this value contains about 25 lines of code: https://gist.github.com/1040964

I got this to work well enough, but when I exit, I get 301 from the DELETE session, which sends me to GET.

 Started DELETE "/users/sign_out" for 98.246.164.160 at 2012-03-02 01:45:42 +0000 [02 Mar 01:45 10886 INFO] Processing by Devise::SessionsController#destroy as HTML [02 Mar 01:45 10886 INFO] Parameters: {"authenticity_token"=>"fI4VZ4V0Go2Civo3sJz8Dv5/Wtaa90ynaYr+xxx="} [02 Mar 01:45 10886 DEBUG] Parameters: {"_method"=>"delete", "authenticity_token"=>"fI4VZ4V0Go2Civo3sJz8Dv5/Wtaa90ynaYr+xxxx=", "action"=>"destroy", "controller"=>"devise/sessions"} [02 Mar 01:45 10886 INFO] Redirected to https://ec2-xx-xx-106-255.us-west-2.compute.amazonaws.com/users/sign_out [02 Mar 01:45 10886 INFO] Completed 301 Moved Permanently in 3ms Started GET "/users/sign_out" for xx.xx.164.160 at 2012-03-02 01:45:42 +0000 [02 Mar 01:45 10886 FATAL] ActionController::RoutingError (No route matches [GET] "/users/sign_out"):

So, I think I need to start from scratch. What is the easiest way to make any development path using https, but the rest of the paths in my application use http? I tried this (from the SO post at the top):

  #devise routes scope :protocol => 'https://', :constraints => { :protocol => 'https://' } do devise_for :users, :controllers => { :registrations => :registrations } devise_for :admins end

But donโ€™t leave. I need a better offer.

+7
source share
3 answers

There are no answers yet, so here is what I concluded:

  • As soon as you enter the site via https, do not access it through http until the user logs out (firesheep attack). The article on the article has a lot of material that discusses only the availability of https on the login / logout page. Bad idea.

  • All you really need is:

     #in config/environments/production.rb config.to_prepare { Devise::SessionsController.force_ssl } config.to_prepare { Devise::RegistrationsController.force_ssl }

  • I had a lot of problems related to 'after_sign_in_path' from Devise. It turns out that after_sign_out_path_for waiting for the path to return - this is not an event, it asks where the user should go. So I returned root_path :protocol => 'http://' , and that took care of that.

+10
source

Make sure you use https in all of your Devise links (this avoids force_ssl redirection).

In your .rb routes (applicable only in production environment):

 scope defaults: (Rails.env.production? ? { protocol: 'https' } : {}) do devise_for :users end

Now in your application use:

 destroy_user_session_url # use _url instead of _path so the protocol is added!

Now your exit / exit link (and other development links) will point directly to https. The power of sssl is to rewrite from HTTP DELETE to HTTPS GET. Everything works:)

+3
source

Try using the whole HTTPS app by adding:

 #in config/environments/production.rb config.force_ssl = true

I had the same problem. Sometimes I get a fine, sometimes I get 301 from a DELETE action and redirect a GET. This was a problem for me.

+2
source

More articles:


All Articles