ACE - keep user on SSL only if logged in

Unanswered Question
Jul 29th, 2009

Hi everyone

We have a complicated scenario which we need to achieve using the ACE4710. This is what we want to achieve:

1) User browses to site http://www.site.com.

2) User logs in and login is posted to secure path https://www.site.com/myaccount.

3) Once the user is logged in, all subsequent requests to http://www.site.com/* need to be redirected to https://www.site.com/*. In other words, once the user has accessed /myaccount within the session, all further requests must be SSL, no matter which page on the site they are on.

Is this possible with the ACE?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Gilles Dufour Thu, 07/30/2009 - 05:19

ACE has no knowledge about what happened in a previous connection.

All you can do is inspect the header of the new http request and identify some information which could identify if the user is logged in or not.

For example, if the server sets a particular cookie when the client is logged in, you can check the presence of this cookie to determine if the client is connected and send the redirect to https.

BUT, since the client will potentially keep the same cookie, even if he logs out, then ace will continue redirecting the client to https.

Only the server has the complete knowledge of the client state.

So the redirect should come from the server.

Gilles.

Actions

This Discussion