Sunday, December 24, 2006

Redirecting to HTTPS in Rails

There are a couple simple steps to take to secure your login pages with rails. First, you'll need a certificate - this I got through my ISP, so I don't have much insight into this. It was uneventful and worked right away.

Once you have the certificate and HTTPS works for your site, you'll need a before filter on any pages that should be https and another one to send all other pages to http. For example:

before_filter :require_https, :only => [:login, :signup, :change_password] before_filter :require_http, :except => [:login, :signup, :change_password]

def require_https
redirect_to :protocol => "https://" unless (@request.ssl? or local_request?)

def require_http
redirect_to :protocol => "http://" if (@request.ssl?)

This will put any pages that should be HTTPS in the right protocol.

And, if you have a login form on an HTTP page (this may be on the home page of a sight), you'll need the form action to point to the https version of the form. To do this, set the "start_form_tag" helper like so:

<%= start_form_tag({:protocol => 'https://', :controller => 'user', :action=> "login", :only_path=> false}) %>

This is necessary to set the protocol to https. Note, the "only_path" value is set to "false". This is because "only_path" defaults to true and will ignore the protocol unless it is set to false.