httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nandelb...@s3os.net
Subject RE: [users@httpd] https redirected to http, different login?
Date Thu, 14 Apr 2005 16:37:31 GMT
> Not possible using basic_auth. The HTTP site and the HTTPS site are two
> different virtual hosts (they're on different ports!). So the browser will
> always regard them as two different authentication realms and never use
> the same credentials.
>
> However, I think you fundamentally misunderstand how basic_auth works.
> What happens is that the browser caches the username and password (aka:
> "credentials") from the first request and after, submits them with every
> request in the same "realm" (realm = any URL under the directory it first
> hit the authentication).
>
> So even if your scheme worked, it would not give any security because a
> snooper could extract the credentials from any HTTP requests which
> followed the HTTPS login.
>
> You have two options:
>
> - put everything under HTTPS (you're not worried about server load, are
> you?)

Yes, i'm worried about server load, the content of web have a lot of photo
galleries

> - use session-management to validate the user (ie, give him a cookie).

Thank's, I try that posibility, but i need to learn more about cookies ;(

> Does /path/to/webpage/1/2/4 exist?

Yes, I'm sure. But, one consideration: doesn't is inside server root the
path, for example, is "/usr/share/", and it have the correct permisions.

> what's in the error_log

[error] [client 213.176.161.201] File does not exist: [error] [client
123.123.123.123] File does not exist: /path/to/web/temp

Seems the server try to find the alias name in ServerRoot/temp, and this
file not exist, for this reason I create the alias

> But do you have an "Allow from all" anywhere?

Yes. I try use "allow from all" (i need directory listing from all), but
doesn't work... is correct?

 <Directory "/path/to/list">
         Options Indexes
         AllowOverride None
         Allow from all
 </Directory>

Thank's.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message