Re: Authentication using https
[prev]
[thread]
[next]
[Date index for 2004/11/10]
Michael, I'm sorry but I don't believe that is correct. Having
recently implimented a Apache::AuthCookie system, I can see a possible
issue with this strategy. Please feel free to enlighten me if I am
full of shit.
First of all, there's nothing stopping you from submitting your login
form to an https url. Thats not really the problem at all.
The problem you're probably going to run into has to do with cookies,
and user browsers, and domain names.
I'll assume the https and the http server have identical domain names,
obviating that possibl eproblem. If they were different with no
Domain parameter, or did not both match the Domain parameter of the
cookie, it wouldn't ever work, but I'm sure you know that.
When you set up your cookie, what is the Domain or host, and path
settings? Are you explicitly defining them? Does the domain and path
match A. where the cookie is set AND B. where the cookie is being
used? And in the end, does the browser send it?
it could go...
-> GET content from myserver port 80
<- 403 errordocument login form
-> POST credentials to myserver port 443
<- Location http://myserver/content
<- Set-Cookie: ticket=gooduser; Domain=myserver; Path=content;
-> GET content from myserver port 80
<- 403 errordocument login form
And the question would be... Why would the browser say GET without the
cookie attached?
It could be... because it didn't get the cookie from myserver:80 - it
got it from myserver:443 - and the security settings of the browser
say, 'enable only for the originating web server'
A workaround might be... on secure submission of the credentials
generate a hash that is verifiable on the https side, redirect the
user to the http side with that hash in the querystring to a
setting-cookies script that reads the hash out of the query string,
verifies it, then sets the cookie, THEN redirects the user to the
actual content.
Implimentation is left as an excersize to the questioner. Or a later
question. ;)
Skylos
On Wed, 10 Nov 2004 13:28:07 -0800, Michael <michael@xxxxxxxxxxxxxxx.xxx> wrote:
> > All,
> >
> > I'm about to replace the authentication mechanism that
> > our web site uses. However I wanted to sanity check my
> > thought process.
> >
> > Is it possible to have an Authen handler sitting on
> > certain areas of a site, and if a user isn't logged in
> > (i.e. doesn't have an auth session cookie) we present
> > them with a form. (I can do this, but the next bit is
> > new to me). Then when they send their details, i.e.
> > username and password, they go over an SSL connection,
> > which provided they are correct, then shows the page
> > the user originally wanted?
> >
> > Basically I have a mechanism working that does this
> > without the SSL, but can I update it to use an SSL
> > connection for the login form submit?
> >
> > Marty
> >
>
> see Apache-AuthCookie
>
> I believe everything you want is implemented in this package
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
