httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Turner <synfina...@gmail.com>
Subject Re: [users@httpd] Redirecting htaccess over SSL, then back to port 80?
Date Tue, 07 Jul 2009 17:40:06 GMT
On Tue, Jul 7, 2009 at 10:25 AM, Paul Reilly<pareilly@tcd.ie> wrote:

> I don't want to force all web access over HTTPS, just the .htaccess
> authentication.

Assuming you're doing standard HTTP Authentication, it doesn't work
that way.  Once you get the login popup, every subsequent request by
the browser sends the same authentication token (username & password
in clear text) to the server.

Hence, doing SSL for the first request doesn't really add to your
security since all the other requests would send the username &
password in clear text (some people think the user & pass are
"encrypted" but it's really just base64 encoding).

-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message