Forum OpenACS Q&A: How to avoid warning on redirect to non-secure section?
You are about to be redirected to a connection that is not secure. The information you are sending to the current site might be retransmitted to a nonsecure site. Do you wish to continue?
Has anyone else figured this out? I wonder if I'm being too paranoid in wanting to secure the log-in and I should just make the tradeoff for convenience?
Walter, in truth your problem is on the client side. Not all users get that warning--you can turn it off on the client. I think my solution was to put an interim page in that said "Thank you, you are now logged in", and issue the redirect from there. That's your solution, too, right?
Our experience has been that a lot of our users don't notice that they got logged in, and are confused when they are presented with the home page again (when they login from the home page anyway) and I think the extra "thanks you are logged in" page would make them feel better.
I consider this a security hole, but there's no way Microsoft is going to fix it.
We chose to keep the warning because it's true. We prepend a disclaimer to https://my.brandeis.edu/register/
If folks think this is a good idea, lash together a patch and new page and we can add it to the development branch of the tree ...
On a related note, have other people solved the problem of breaking out of secured pages? When I was trying to resolve that issue I found some code in one of the posts, but it didn't really work for me.
I ended up creating a much more elaborate solution that allows me to more finely tune what gets passed through SSL. I don't know if my solution creates excessive overhead or if there is a better approach out there, but that also seems like something that would be good to package up.