From: Aaron Trevena Date: Tue, 11 Oct 2005 20:22:31 +0000 (+0000) Subject: added more documentation on redirect_request and get_protocol X-Git-Tag: 2.11~123 X-Git-Url: https://git.decadent.org.uk/gitweb/?a=commitdiff_plain;h=349ed61cc56d78c7ce47eb08984c65d694d3aee0;p=maypole.git added more documentation on redirect_request and get_protocol git-svn-id: http://svn.maypole.perl.org/Maypole/trunk@395 48953598-375a-da11-a14b-00016c27c3ee --- diff --git a/lib/Maypole.pm b/lib/Maypole.pm index 4f52493..e8de04e 100644 --- a/lib/Maypole.pm +++ b/lib/Maypole.pm @@ -19,7 +19,7 @@ __PACKAGE__->mk_classdata($_) for qw( config init_done view_object ); __PACKAGE__->mk_accessors( qw( params query objects model_class template_args output path args action template error document_encoding content_type table - headers_in headers_out stash ) + headers_in headers_out stash) ); __PACKAGE__->config( Maypole::Config->new() ); __PACKAGE__->init_done(0); @@ -377,6 +377,10 @@ sub redirect_request { die "parse_location is a virtual method. Do not use Maypole directly; use Apache::MVC or similar"; } +sub redirect_internal_request { + +} + sub send_output { die "send_output is a virtual method. Do not use Maypole directly; use Apache::MVC or similar"; } diff --git a/lib/Maypole/Manual/Request.pod b/lib/Maypole/Manual/Request.pod index 0aa333a..64ee38b 100644 --- a/lib/Maypole/Manual/Request.pod +++ b/lib/Maypole/Manual/Request.pod @@ -53,6 +53,37 @@ or move the module loading to run-time (my preferred solution): BeerDB->setup("..."); BeerDB::Beer->require; +=head3 Redirecting to SSL for sensitive information + +You have a website with forms that people will be entering sensitive information into, +such as credit cards or login details. You want to make sure that they aren't sent +in plain text but over SSL instead. + +B + +The solution is a bit tricky for 2 reasons : + +Firstly -- Many browsers and web clients will change a redirected +POST request into a GET request (which displays all that sensitive information in the +browser, or access logs and possibly elsewhere) and/or drops the values on the floor. + +Secondly -- If somebody has sent that sensitive information in plain text already, then +sending it again over SSL won't solve the problem. + +Redirecting a request is actually rather simple : + +$r->redirect_request('https://www.example.com/path'); # perldoc Maypole for API + +.. as is checking the protocol : + +$r->get_protocol(); # returns 'http' or 'https' + +You should check that the action that generates the form that people will enter +the sensitive information into is https and redirect if not. + +You should also check that no information is lost when redirecting, possibly by +storing it in a session and retrieving it later - see Maypole::Plugin::Session + =head3 Debugging with the command line You're seeing bizarre problems with Maypole output, and you want to test it in