[Cosign-discuss] unexpected behaviour in CoSign with CosignHttpOnly set

Fri, 21 Sep 2012 10:21:54 -0700 

Hi all,
I'm seeing some unexpected behaviour, and I'm not sure if this is a config 
error or misunderstanding on my part, or "something else"...

I have a CoSign-authenticated webapp that can be accessed on either port 80 or 
port 443. This is on Apache httpd (2.2.22), with mod_cosign 3.2.0.

My expectation is that after the authentication redirect, a request would be 
redirected back to the same port and protocol that it was made on originally, 
but it doesn't seem to be working that way.

As I understand it, by default, (CosignHttpOnly not set), requests always get 
redirected onto a HTTPS URL.
I've always assumed that setting "CosignHttpOnly On" simply relaxed that 
redirection, so that using non-SSL was OK, but it seems to be acting weirder 
than that.

If I have "CosignHttpOnly Off" (or not specified), a request to 
https://webapp/hellocosign succeeds as expected,
and a request to http://webapp/hellocosign redirects to 
https://webapp/hellocosign  as documented.

If I have "CosignHttpOnly On", a request to http://webapp/hellocosign succeeds 
as expected,
But a request to https://webapp/hellocosign acts weird. If you go to 
http://webapp/hellocosign first (presumably so your cookie gets verified), all 
is well. However, if your first request is to https://webapp/hellocosign, you 
get redirected to http://webapp:443/hellocosign, and the request fails.

Obviously, if I really want to, I could work round this by putting a separate 
CoSign config into each virtual host, but that makes maintenance pretty tedious.

I guess I'm going to leave CosignHttpOnly unset on this application, but it 
smells a bit like a bug to me.

Steve.




------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to