On Thu, 13 Jun 2002, Brian Reichert wrote:
> Apache::AuthTicket says:
>
> Finally, by using the Secure mode of Apache::AuthCookie, the
> ticket is not passed over unencrypted connections.
>
> Passed in what direction?
Client -> server.
rfc2109 says:
Secure
Optional. The Secure attribute (with no value) directs the user
agent to use only (unspecified) secure means to contact the origin
server whenever it sends back this cookie.
The user agent (possibly under the user's control) may determine
what level of security it considers appropriate for "secure"
cookies. The Secure attribute should be considered security
advice from the server to the user agent, indicating that it is in
the session's interest to protect the cookie contents.
see http://www.ietf.org/rfc/rfc2109.txt
> It would only go server->client if the client made a SSL request.
No. Your browser should not return the cookie to the server if the connection
is not "secure" (meaning encrypted via SSL in practicality). The converse is
not true. The cookie *WILL* be sent from server to your browser. If your
browser misbehaves with it by returning it over a non-ssl connection,
then your browser is broken and theres nothing AuthCookie can do to prevent
that.
> I suppose my real question is:
>
> How can I intercept a unencrypted request for a protected document,
> but have the login form be submitted over an encrypted channel?
THere are lots of ways to do this. One way that comes to mind is using
mod_rewrite to check of the user is in HTTPS mode or not, and if not, then
redirect them to HTTPS.
Mike
