On Thu, 13 Jun 2002, Brian Reichert wrote: > Apache::AuthTicket says: > > Finally, by using the Secure mode of Apache::AuthCookie, the > ticket is not passed over unencrypted connections. > > Passed in what direction?
Client -> server. rfc2109 says: Secure Optional. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie. The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents. see http://www.ietf.org/rfc/rfc2109.txt > It would only go server->client if the client made a SSL request. No. Your browser should not return the cookie to the server if the connection is not "secure" (meaning encrypted via SSL in practicality). The converse is not true. The cookie *WILL* be sent from server to your browser. If your browser misbehaves with it by returning it over a non-ssl connection, then your browser is broken and theres nothing AuthCookie can do to prevent that. > I suppose my real question is: > > How can I intercept a unencrypted request for a protected document, > but have the login form be submitted over an encrypted channel? THere are lots of ways to do this. One way that comes to mind is using mod_rewrite to check of the user is in HTTPS mode or not, and if not, then redirect them to HTTPS. Mike