Re: Authentication using https

[prev] [thread] [next] [Date index for 2004/11/11]

On Wed, 10 Nov 2004, Skylos wrote:

> it could go...
>
> -> GET content from myserver port 80
> <- 403 errordocument login form
> -> POST credentials to myserver port 443
> <- Location http://myserver/content
> <- Set-Cookie: ticket=gooduser; Domain=myserver; Path=content;
> -> GET content from myserver port 80
> <- 403 errordocument login form
>
> And the question would be... Why would the browser say GET without the
> cookie attached?
>
> It could be... because it didn't get the cookie from myserver:80 - it
> got it from myserver:443 - and the security settings of the browser
> say, 'enable only for the originating web server'

The port numbers do not matter at all.  There are a number of things you
need to be aware of for cookies to work properly in this scenario.

- If you want the cookie to be presented over non-SSL connections, you
   need to make sure that AuthNameSecure is not turned on in AuthCookie.
   The "Secure" setting tells the browser to only send the cookie over
   SSL connections.

- If your using MSIE, you also need to properly create a P3P policy,
   otherwise MSIE might not return the cookie (depending on security
   settings).  The way you create a P3P policy is beyond the scope of
   this email.  In AuthCookie you can do this with something like:

   PerlSetVar AuthNameP3P "CP=\"ALL DSP ...\""

   but you need to read up on P3P to know what the value should be.

But there is no problem issuing cookies on HTTPS and having the browser
return them over non SSL provided that the "Domain" paramter of the
cookie is properly set, and the "Secure" setting is turned off.

Regards,
Michael Schout

        -- 
        Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html