HTTP to HTTPS and Back

Hi Folks,

 

 

this is great information on HTTP/HTTPS redirection. in particular the use of classes and data groups. i've definitely picked up some solid tips.

 

 

on the topic of http/https redirection . . . have any of you encountered loss of client-side application session variables when switching back and forth between SSL and non-SSL connections? we use similar redirection techniques in our environment, but we are suspicious of the HTTP::redirect method and the issued HTTP 302 causing the browser to flush the client-side session variables.

 

 

this seems to cause a problem if the browser is storing session info with a web or application server on the backend while using a HTTP session, and the iRule then parses the URL, decides to HTTP::redirect to "https://..." - so when the browser request lands on the back-end server again, it shows up with no session variables.

 

 

recently, i've converted some of the enforced SSL iRules over to using something along these lines . . .

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] equals "/secureThatLinkIfYouWill } {

 

HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" }

 

 

This seems to allow all of the client-side cookies to stay in-tact while switching back and forth, but on occasion, after a redirection, all of the client-side cookies are "gone"!

 

 

are these suspicions legitimate? are there any bullet-proof ways to prevent this?

 

 

I've been looking around for an elegant way to maintain session/state while allowing a smooth transition between HTTP/HTTPS connections for quite some time, so any tips would be greatly appreciated.

 

 

Thanks,

 

-ag