At least part of the problem can also be solved by replacing PerlSetVar FooTicketLoginHandler /login with PerlSetVar FooTicketLoginHandler https://servername.domain.com/login so that the password the user types is always passed through a secure channel.
I'm at a loss as to how to change the Apache::AuthTicket->login (or a similarly oriented subclass function) to: a) Remember if the original URL was secure or not b) Switching back to a nonsecure if the original URL was not secure Has anyone succeded in implementing a similar method? Rafael At 09:42 PM 6/13/2002 -0700, you wrote: >It's not the prettiest in the world, but try this (see attached file). >If anyone sees room for improvement, please, chime in. It's working >fine on the intranet site I run at work - and I haven't tried to make it >any better since it's working as is. You use this script instead of the >loginscreen method of AuthTicket. It uses the http-equiv refresh when >switch schemes since going from https to http causes most browsers to >popup a warning about getting redirected to an insecure site. > >Here are my relevant httpd.conf settings: > >PerlSetVar realmTicketLoginHandler /LOGIN >PerlSetVar realmTicketLogoutURI / >PerlSetVar realmLoginScript /login > >Alias /login /v01/data/web/auth/login ><Location /login> > Options ExecCGI > SetHandler perl-script > PerlHandler Apache::Registry ></Location> > ><Location /LOGIN> > <IfDefine SSL> > SSLRequireSSL > </IfDefine> > SetHandler perl-script > PerlHandler Apache::AuthTicket->login ></Location> > >--Jim > > > -----Original Message----- > > From: Brian Reichert [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 13, 2002 1:13 PM > > To: Michael Schout > > Cc: Brian Reichert; [EMAIL PROTECTED] > > Subject: Re: PerlSetVar WhatEverSecure > > > > > > On Thu, Jun 13, 2002 at 10:40:18AM -0500, Michael Schout wrote: > > > Brian Reichert wrote: > > > > > > > > > > > <Location /formscript/login> > > > > PerlSetVar FormScriptSecure 1 > > > > AuthType Apache::AuthTicket > > > > ... > > > > </Location> > > > > > > > > But, in each case, my login program is server in the > > clear. What am > > > > I missing? > > > > > > THe authnameSecure setting only affects the cookie. If you want to > > > forbid access to the login form from non-ssl, there are > > verious ways to > > > do that. One way would be to add "SSLRequireSSL" that > > block (assuming > > > your using mod_ssl). > > > > Apache::AuthTicket says: > > > > Finally, by using the Secure mode of Apache::AuthCookie, the > > ticket is not passed over unencrypted connections. > > > > Passed in what direction? > > > > It would only go server->client if the client made a SSL request. > > > > With the 'FormScriptSecure' as I have it above, I _can_ log > > in over a non-encrypted channel, so clearly it's not > > enforcing the 'secure' criteria... > > > > (Still reading up on cookies...) > > > > I suppose my real question is: > > > > How can I intercept a unencrypted request for a protected > > document, but have the login form be submitted over an > > encrypted channel? > > > > (Thanks for the feedback, by the way...) > > > > > > > > Regards, > > > Mike > > > > > > > -- > > Brian 'you Bastard' Reichert <[EMAIL PROTECTED]> > > 37 Crystal Ave. #303 Daytime number: (603) 434-6842 > > Derry NH 03038-1713 USA Intel > > architecture: the left-hand path > >