Michael wrote on 11/10/04, 4:28 PM:
> > All,
> >
> > I'm about to replace the authentication mechanism that
> > our web site uses. However I wanted to sanity check my
> > thought process.
> >
> > Is it possible to have an Authen handler sitting on
> > certain areas of a site, and if a user isn't logged in
> > (i.e. doesn't have an auth session cookie) we present
> > them with a form. (I can do this, but the next bit is
> > new to me). Then when they send their details, i.e.
> > username and password, they go over an SSL connection,
> > which provided they are correct, then shows the page
> > the user originally wanted?
> >
> > Basically I have a mechanism working that does this
> > without the SSL, but can I update it to use an SSL
> > connection for the login form submit?
> >
> > Marty
> >
>
> see Apache-AuthCookie
>
> I believe everything you want is implemented in this package
>
Marty,
Apache-AuthCookie does provide a mechanism similar to what you
described. It sounds like you've already designed an Apache-AuthCookie
clone. :-)
However, Apache-AuthCookie will not protect the initial submission of
the password from being snooped.
Assuming that you already have your Apache server set up to use SSL, you
should be able to put the login form verification script in an
appropriate place served by the SSL config, and just point the login
form action to that script. Then the script would redirect the user back
to the original non-SSL page (if the login credentials were verified, of
course.)
I'm assuming here that the same Apache instance is listening for non-SSL
and SSL. (This is the default if mod_ssl is enabled.) If you have
independent Apache instances running on 80 and 443 (possible but
unlikely), or your SSL-ified Apache is on a different box, this may
cause problems, depending on how your login script works.
--John
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
