> But I've opened https://weblogin.domain1.net, > log in there and go back to http://forum.domain1.net. And neither > COSIGN_SERVICE > nor REMOTE_USER are set at http://forum.domain1.net.
Why not, after authenticating, have the users just go back to <https://weblogin.domain1.net>? In order to allow a logged in user to view the pages as a logged in user over port 80, the service cookies have to be transmitted in the clear. By default, the filters mark the cookies as secure. I believe setting CosignHttpOnly to On will create service cookies without the "secure" flag. Jarod On Apr 8, 2008, at 2:53 AM, Oleg Polovinkin wrote: > Hello, all! > > Guys, please, help me, I'm lost completely. :( > > First of all - what goal I'm trying to archieve. > > I have several forums on different domains, let them be > > forum.domain1.net > forum.domain2.org > forum.domain3.ua > > They are as forums - users can read them without authorization, but > to write > answers users need to be registered and authorized. > > I want to save all these functionality, but use one auth system for > all three > forums. And I'm trying to use cosign for that. I installed cosign, > (including > mysql auth), friend system for create new accounts, made some fixes > in code of > forum software - all is working, but only in case I set > "CosignAllowPublicAccess Off". > > I use Fedora Core 7/32bit for all hosts. Here's part of my apache > config for > forum virtual host (Apache/2.2.6): > > ---------------------------------------------------------------------- > -------- > <VirtualHost *:80> > CosignHostname weblogin.domain1.net > CosignRedirect https://weblogin.domain1.net/ > CosignPostErrorRedirect https://weblogin.domain1.net/cosign/ > post_error.html > CosignCrypto /etc/cosign/certs/mod_cosign.key > /etc/cosign/certs/mod_cosign.crt /etc/cosign/certs/CA > > CosignHttpOnly On > CosignCheckIP always > CosignProtected On > > CosignAllowPublicAccess Off > > CosignService forum.domain1.net > > ServerAdmin [EMAIL PROTECTED] > DocumentRoot /var/www/vhosts/domain1 > ServerName forum.domain1.net > ErrorLog logs/domain1-error.log > CustomLog logs/domain1-access.log common > > <Directory /var/www/vhosts/domain1/ > > Order Deny,Allow > Allow from all > </Directory> > </VirtualHost> > ---------------------------------------------------------------------- > -------- > > Here is apache config for cosign service weblogin.domain1.net: > > ---------------------------------------------------------------------- > -------- > <VirtualHost *:443> > > CosignHostname weblogin.domain1.net > CosignRedirect https://weblogin.domain1.net/ > CosignPostErrorRedirect https://weblogin.domain1.net/cosign/ > post_error.html > CosignCrypto /etc/cosign/certs/mod_cosign.key > /etc/cosign/certs/mod_cosign.crt /etc/cosign/certs/CA > > # Redirect to auth > RedirectMatch ^/$ /cosign-bin/cosign.cgi > ScriptAlias /cosign-bin/ "/var/lib/cosign/cgi-ssl/" > ScriptAlias /cgi-bin/ "/var/lib/cosign/cgi-ssl/" > <Directory /var/lib/cosign/cgi-ssl/> > SSLOptions +StdEnvVars > </Directory> > > # CoSign images and CSS > Alias /cosign/ "/var/lib/cosign/html/" > > # Hardcoded redirect back > Redirect /services http://forum.domain1.net > > ServerAdmin [EMAIL PROTECTED] > DocumentRoot /var/www/vhosts/weblogin > ServerName weblogin.domain1.net > ErrorLog logs/ssl-error.log > CustomLog logs/ssl-access.log common > <Directory /var/www/vhosts/weblogin/ > > AllowOverride All > CosignProtected On > # Cookie name: > CosignService mod_cosign-1 > Order Deny,Allow > Allow from all > </Directory> > > # Friend related > ######################### > Alias /friend/ /var/lib/cosign/friend/php/ > > <Directory /var/lib/cosign/friend/php> > # the account creation screen must not be cosign- protected :) > CosignProtected off > </Directory> > > <Location /friend/acquaintance/> > SSLOptions +StdEnvVars > SSLVerifyClient require > </Location> > > <Location /friend/passwd/> > CosignProtected on > </Location> > > <Location /friend/invite/> > CosignProtected on > </Location> > </VirtualHost> > ---------------------------------------------------------------------- > -------- > > It's working, and I can check I'm authenticated by looking at > COSIGN_SERVICE and > REMOTE_USER server variables. But in this case users can't even see > forum until > they are authenticated with cosign. > > So I've tried to use: > CosignAllowPublicAccess On > > to give unregistered users possibility to access forums as guests. > Of course in this case there is no auto-redirect from http:// > forum.domain1.net > to https://weblogin.domain1.net. But I've opened https:// > weblogin.domain1.net, > log in there and go back to http://forum.domain1.net. And neither > COSIGN_SERVICE > nor REMOTE_USER are set at http://forum.domain1.net. :( So I can't > make myself > authenticated on forum.domain1.net when CosignAllowPublicAccess is > set to "On". > > I misunderstood something in mechanics of cosign, I fear. Please, > give me a > clue. Or it's definitely impossible to use it such way I'm trying to? > > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Register now and save $200. Hurry, offer ends at 11:59 p.m., > Monday, April 7! Use priority code J8TLD2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http:// > java.sun.com/javaone > _______________________________________________ > Cosign-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
