Re: Authentication using https

[prev] [thread] [next] [Date index for 2004/11/10]

From: John Wittkoski
Subject: Re: Authentication using https
Date: 22:49 on 10 Nov 2004


Michael wrote on 11/10/04, 4:28 PM:

 > > All,
 > >
 > > I'm about to replace the authentication mechanism that
 > > our web site uses. However I wanted to sanity check my
 > > thought process.
 > >
 > > Is it possible to have an Authen handler sitting on
 > > certain areas of a site, and if a user isn't logged in
 > > (i.e. doesn't have an auth session cookie) we present
 > > them with a form. (I can do this, but the next bit is
 > > new to me). Then when they send their details, i.e.
 > > username and password, they go over an SSL connection,
 > > which provided they are correct, then shows the page
 > > the user originally wanted?
 > >
 > > Basically I have a mechanism working that does this
 > > without the SSL, but can I update it to use an SSL
 > > connection for the login form submit?
 > >
 > > Marty
 > >
 >
 > see Apache-AuthCookie
 >
 > I believe everything you want is implemented in this package
 >

Marty,

Apache-AuthCookie does provide a mechanism similar to what you 
described. It sounds like you've already designed an Apache-AuthCookie 
clone. :-)

However, Apache-AuthCookie will not protect the initial submission of 
the password from being snooped.

Assuming that you already have your Apache server set up to use SSL, you 
should be able to put the login form verification script in an 
appropriate place served by the SSL config, and just point the login 
form action to that script. Then the script would redirect the user back 
to the original non-SSL page (if the login credentials were verified, of 
course.)

I'm assuming here that the same Apache instance is listening for non-SSL 
and SSL. (This is the default if mod_ssl is enabled.) If you have 
independent Apache instances running on 80 and 443 (possible but 
unlikely), or your SSL-ified Apache is on a different box, this may 
cause problems, depending on how your login script works.


    --John




        -- 
        Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Authentication using https
Martin Moss 17:06 on 10 Nov 2004

Re: Authentication using https
Michael 21:28 on 10 Nov 2004

Re: Authentication using https
John Wittkoski 22:49 on 10 Nov 2004

Re: Authentication using https
Skylos 22:52 on 10 Nov 2004

Re: Authentication using https
Michael J Schout 05:20 on 11 Nov 2004

Re: Authentication using https
Martin Moss 11:08 on 11 Nov 2004

Re: Authentication using https
David Nicol 22:51 on 12 Nov 2004

Generated at 11:26 on 21 Dec 2004 by mariachi v0.52