Re: secure to nonsecure

Mon, 12 Jun 2000 23:32:01 -0700 

** Reply to note from Darian Ong <[EMAIL PROTECTED]> 11 Jun 00 22:26:25 MDT
>   
> Hello all,
>   
> I am writing a cgi script to process a HTML FORM in the secure mode.
> After the FORM is processed, I need to redirect the user to a non-
> secured page.
>   
> I have my virtual host setup like this:
>   
> <VirtualHost ip_address:80> ... Redirect ^/secure/(.*)
> https://mysite/secure/$1 ... </VirtualHost>
>   
> <VirtualHost ip_address:443> ... Redirect ^/unsecure/(.*)
> http://mysite/unsecure/$1 ... </VirtualHost>
>   
> I process the FORM with a script process.cgi under the secure
> directory and the result of this script is a simple HTML page that
> contains:
>   
> <html> <script language="Javascript"> function redirectPage(){
> document.location.href="https://mysite/unsecure/showpage.cgi"; }
> </script>
>  
> <body onload="redirectPage()"> </body> </html>
>   
> However, after the script process.cgi is executed and the above HTML
> page is returned to the browser, I got this warning message from my
> browser:
>   
> Warning! You have requested an insecure document that was originally
> designated a secure document (the location has been redirected from a
> secure to an insecure document). The document and any information you
> send back could be observed by a third party while in transit. 
>   
> How can I switch from a secure mode to an insecure mode without such
> warning from the browsers?

You can't.  The way I do it is make the next page you re-direct to
secure.  On that page you can have non-secure links that don't have the
warning.  

The user can select a non-secure link, and things are ok, but if the
user asks for a secure page, you have to send a secure result.  Trying
to redirect to a non-secure page is a no-no, as is trying to include
images from a non-secure source.  You (on the server side) can not make
the choice to drop secure mode, you have to let the user do it.


Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to