Re: Authentication using https

[prev] [thread] [next] [Date index for 2004/11/11]

From: Martin Moss
Subject: Re: Authentication using https
Date: 11:08 on 11 Nov 2004

Cheers Fellas, this was the bit I was concerned about.

Apache::AuthCookie, looked a little bloated to me,
however I'm a big fan of only inventying new types of
wheels not old so I'll revisit...

Regards

Marty


 --- Michael J Schout <mschout@xxx.xxx> wrote: 
> On Wed, 10 Nov 2004, Skylos wrote:
> 
> > it could go...
> >
> > -> GET content from myserver port 80
> > <- 403 errordocument login form
> > -> POST credentials to myserver port 443
> > <- Location http://myserver/content
> > <- Set-Cookie: ticket=gooduser; Domain=myserver;
> Path=content;
> > -> GET content from myserver port 80
> > <- 403 errordocument login form
> >
> > And the question would be... Why would the browser
> say GET without the
> > cookie attached?
> >
> > It could be... because it didn't get the cookie
> from myserver:80 - it
> > got it from myserver:443 - and the security
> settings of the browser
> > say, 'enable only for the originating web server'
> 
> The port numbers do not matter at all.  There are a
> number of things you
> need to be aware of for cookies to work properly in
> this scenario.
> 
> - If you want the cookie to be presented over
> non-SSL connections, you
>    need to make sure that AuthNameSecure is not
> turned on in AuthCookie.
>    The "Secure" setting tells the browser to only
> send the cookie over
>    SSL connections.
> 
> - If your using MSIE, you also need to properly
> create a P3P policy,
>    otherwise MSIE might not return the cookie
> (depending on security
>    settings).  The way you create a P3P policy is
> beyond the scope of
>    this email.  In AuthCookie you can do this with
> something like:
> 
>    PerlSetVar AuthNameP3P "CP=\"ALL DSP ...\""
> 
>    but you need to read up on P3P to know what the
> value should be.
> 
> But there is no problem issuing cookies on HTTPS and
> having the browser
> return them over non SSL provided that the "Domain"
> paramter of the
> cookie is properly set, and the "Secure" setting is
> turned off.
> 
> Regards,
> Michael Schout
> 
> -- 
> Report problems: http://perl.apache.org/bugs/
> Mail list info:
> http://perl.apache.org/maillist/modperl.html
> List etiquette:
> http://perl.apache.org/maillist/email-etiquette.html
> 
>  


	
	
		
___________________________________________________________ 
Moving house? Beach bar in Thailand? New Wardrobe? Win 10k with Yahoo! Mail to make your dream a reality. 
Get Yahoo! Mail http://uk.mail.yahoo.com

        -- 
        Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Authentication using https
Martin Moss 17:06 on 10 Nov 2004

Re: Authentication using https
Michael 21:28 on 10 Nov 2004

Re: Authentication using https
John Wittkoski 22:49 on 10 Nov 2004

Re: Authentication using https
Skylos 22:52 on 10 Nov 2004

Re: Authentication using https
Michael J Schout 05:20 on 11 Nov 2004

Re: Authentication using https
Martin Moss 11:08 on 11 Nov 2004

Re: Authentication using https
David Nicol 22:51 on 12 Nov 2004

Generated at 11:26 on 21 Dec 2004 by mariachi v0.52