On Wed, 10 Nov 2004, Skylos wrote:
it could go...
-> GET content from myserver port 80 <- 403 errordocument login form -> POST credentials to myserver port 443 <- Location http://myserver/content <- Set-Cookie: ticket=gooduser; Domain=myserver; Path=content; -> GET content from myserver port 80 <- 403 errordocument login form
And the question would be... Why would the browser say GET without the cookie attached?
It could be... because it didn't get the cookie from myserver:80 - it got it from myserver:443 - and the security settings of the browser say, 'enable only for the originating web server'
The port numbers do not matter at all. There are a number of things you need to be aware of for cookies to work properly in this scenario.
- If you want the cookie to be presented over non-SSL connections, you need to make sure that AuthNameSecure is not turned on in AuthCookie. The "Secure" setting tells the browser to only send the cookie over SSL connections.
- If your using MSIE, you also need to properly create a P3P policy, otherwise MSIE might not return the cookie (depending on security settings). The way you create a P3P policy is beyond the scope of this email. In AuthCookie you can do this with something like:
PerlSetVar AuthNameP3P "CP=\"ALL DSP ...\""
but you need to read up on P3P to know what the value should be.
But there is no problem issuing cookies on HTTPS and having the browser return them over non SSL provided that the "Domain" paramter of the cookie is properly set, and the "Secure" setting is turned off.
Regards, Michael Schout
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
