Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 422767

Summary: Session broken between http and https
Product: Community Reporter: Henrik Rentz-Reichert <hrr>
Component: WebsiteAssignee: phoenix.ui <phoenix.ui-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: chris.guindon, denis.roy, wayne.beaton
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
Screenshot none

Description Henrik Rentz-Reichert CLA 2013-11-28 09:43:26 EST 
I can login to the website but when I change to the project plan it's forgotten. Therefore I'm not able to edit e.g. the project plan at
http://projects.eclipse.org/projects/modeling.mdt.etrice/releases/0.4.0
Comment 1 Christopher Guindon CLA 2013-11-28 09:45:59 EST 
(In reply to Henrik Rentz-Reichert from comment #0)
> I can login to the website but when I change to the project plan it's
> forgotten. Therefore I'm not able to edit e.g. the project plan at
> http://projects.eclipse.org/projects/modeling.mdt.etrice/releases/0.4.0
Comment 2 Christopher Guindon CLA 2013-11-28 09:49:07 EST 
I renamed this bug.

The session cookie for eclipse.org has the secure attribute and cannot be loaded on http.
Comment 3 Wayne Beaton CLA 2013-11-28 10:42:10 EST 
Frankly, I'm surprised that we haven't seen this complaint before now. It's rather annoying.

The site only recognizes you as logged in when you use https. If you login, and then visit a page using http, it doesn't know that you're logged in.

The current work around is to change the url to:

https://projects.eclipse.org/projects/modeling.mdt.etrice/releases/0.4.0
Comment 4 Henrik Rentz-Reichert CLA 2013-11-28 10:56:13 EST 
(In reply to Wayne Beaton from comment #3)
> The current work around is to change the url to:
> 
> https://projects.eclipse.org/projects/modeling.mdt.etrice/releases/0.4.0

Thanks, after the previous comments I already figured it should work this way and it actually did.

I stumbled about this issue since also in a https connection the links in the side bar of the PMI switch to http. And I used that to navigate to the project plan.
Comment 5 Denis Roy CLA 2013-11-28 10:59:42 EST 
I don't think this is a PMI thing.  It also applies to Wiki & forums and perhaps other sites.

I think our best solution is to a) create a domain-wide insecure cookie (usehttps=true or something along those lines) when a session is created and b) add some Apache redirects to capture the presence of usehttps on an http connection and redirect to the secure version of that URL.
Comment 6 Wayne Beaton CLA 2013-11-28 13:05:15 EST 
(In reply to Denis Roy from comment #5)
> I don't think this is a PMI thing.  It also applies to Wiki & forums and
> perhaps other sites.
> 
> I think our best solution is to a) create a domain-wide insecure cookie
> (usehttps=true or something along those lines) when a session is created and
> b) add some Apache redirects to capture the presence of usehttps on an http
> connection and redirect to the secure version of that URL.

Sounds reasonable to me.
Comment 7 Denis Roy CLA 2013-11-29 15:44:59 EST 
Proposed change:
https://git.eclipse.org/r/19149
Comment 8 Denis Roy CLA 2013-12-03 15:26:17 EST 
Created attachment 237976 [details]
Screenshot

Pushed the change and applied to dev.  I've confirmed that the cookie is there.  Next step is to craft a redirect rule for PMI to use the cookie.
Comment 9 Denis Roy CLA 2013-12-03 15:35:18 EST 
Something like this is the projects.eclipse.org non-ssl config:

RewriteCond %{HTTP_COOKIE} ECLIPSE_ENV=S [NC]
RewriteRule ^(.*)$  https://projects.eclipse.org$1 [L,R]
Comment 10 Denis Roy CLA 2014-05-26 16:20:00 EDT 
Committed to www.eclipse.org:

    # Bug 422767 - Session broken between http and https
    RewriteCond %{HTTP_COOKIE} ECLIPSE_ENV=S [NC]
    RewriteRule ^(.*)$  https://www.eclipse.org$1 [L,R]
Comment 11 Denis Roy CLA 2014-09-11 11:45:47 EDT 
We've addressed this.