httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Reilly <parei...@tcd.ie>
Subject Re: [users@httpd] Redirecting htaccess over SSL, then back to port 80?
Date Tue, 14 Jul 2009 13:23:11 GMT
Getting back to the original subject:

Assuming you're doing standard HTTP Authentication, it doesn't work
> that way.  Once you get the login popup, every subsequent request by
> the browser sends the same authentication token (username & password
> in clear text) to the server.
>

You're right -  the Authentication: header is sent back on subsequent
requests. However I have done some testing with mod_forensic  to log
which headers the client is sending. These are my findings:

1. User goes to a page which requires authentication over SSL
https://mysite/securedir/  - prompted for user/pass.
Authorization: header added with base64 encoded string

2. User visits any other pages on same server, over SSL
Eg: https://mysite.tld/some-other-dir/  and Authorization: header
stays with them. Browser keeps sending it. That's OK.

3. User clicks on a link back to the port 80 version of the site.
http://mysite.tld/index.html   - The browser no longer seems to
send the Authorization: header . It sees the http and https sites
as different sites.

If this is the case, then would the following approach work?

1) If detect .htaccess redirect to SSL version of site
2) user authenticates over SSL and accesses the pages they are interested
in.
3) At some point, they click a menu link etc, and go back to port 80 and
password
    is not exposed.


Paul


> Hence, doing SSL for the first request doesn't really add to your
> security since all the other requests would send the username &
> password in clear text (some people think the user & pass are
> "encrypted" but it's really just base64 encoding).
>
> --
> Aaron Turner
> http://synfin.net/
> http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
> Windows
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
>    -- Benjamin Franklin
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


-- 
Paul Reilly
Systems Group
IS Services
Trinity College Dublin
e: paul.reilly@tcd.ie
p: +353-1-896-2152

Mime
View raw message