httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Turner <synfina...@gmail.com>
Subject Re: [users@httpd] Redirecting htaccess over SSL, then back to port 80?
Date Tue, 14 Jul 2009 16:09:12 GMT
On Tue, Jul 14, 2009 at 6:23 AM, Paul Reilly<pareilly@tcd.ie> wrote:
> Getting back to the original subject:
>
>> Assuming you're doing standard HTTP Authentication, it doesn't work
>> that way.  Once you get the login popup, every subsequent request by
>> the browser sends the same authentication token (username & password
>> in clear text) to the server.
>
> You're right -  the Authentication: header is sent back on subsequent
> requests. However I have done some testing with mod_forensic  to log
> which headers the client is sending. These are my findings:
>
> 1. User goes to a page which requires authentication over SSL
> https://mysite/securedir/  - prompted for user/pass.
> Authorization: header added with base64 encoded string
>
> 2. User visits any other pages on same server, over SSL
> Eg: https://mysite.tld/some-other-dir/  and Authorization: header
> stays with them. Browser keeps sending it. That's OK.
>
> 3. User clicks on a link back to the port 80 version of the site.
> http://mysite.tld/index.html   - The browser no longer seems to
> send the Authorization: header . It sees the http and https sites
> as different sites.
>
> If this is the case, then would the following approach work?
>
> 1) If detect .htaccess redirect to SSL version of site
> 2) user authenticates over SSL and accesses the pages they are interested
> in.
> 3) At some point, they click a menu link etc, and go back to port 80 and
> password
>     is not exposed.

Honestly, I'm not sure if that's part of the HTTP spec or is client
specific (and I'm too lazy to read the RFC's), but I guess the
question really is what do you want to accomplish?    What are your
security requirements?

To answer your question, based on the information you have provided,
that would appear to "work".

-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message