"contains both secure and non-secure items"

[Arty Ziff]

This could be an Apache question, but maybe not...

 

I have several directories where stuff is served up with an SSL conx.

 

One contains a bunch of user authentication scripts used on pages that need to be "logged in" to access.

 

Another contains pages for "logged in" users.

 

I've been careful such that pages for "logged in" users are not served anything from a non SSL conx.

 

Chrome tells me that this is so, but FF and ID tell me: "contains both secure and non-secure items"

 

What's the best way to track this down, find out what content is not being served up from a secure conx?

[Arty Ziff]

Actually, I've discovered that the directory that contains the scripts that authenticate users is not dishing it up via SSL.

 

Here's what I'm doing in httpd.conf...

 

Directory that's working fine:

<Directory "/home/my_site/public_html/secure">
    AllowOverride All
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} secure 
    RewriteRule ^(.*)$ https://www.my_site.com/secure/$1 [R,L]
</Directory>

Directory that's giving me non-SSL conectivity...

<Directory "/home/my_site/public_html/classes">
    AllowOverride All
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} secure
    RewriteRule ^(.*)$ https://www.my_site.com/classes/$1 [R,L]
</Directory>

But the directives are the same, why would one function how I want, but not the other?

[requinix]

What the browsers care about is what you initially told them to retrieve. If you are on an https:// page and there's a request for something http:// then it's insecure. Even if it'll end up in a redirect to a secure file, it started off insecure and that's what they're complaining about.

 

So just make sure nothing has a http:// link.