"D. Scott Davidson" wrote:
> I am trying to run mod-ssl just for the login, and then proceed to pages
> that do not need the SSL, put still need to be protected by the official
> login.
> I am basically just looking for a good way to access pages without using SSL,
> put still keeping them password protected.
I'm not sure you need SSL at all - a normal password challenge on plain
HTTP will restrict access to whatever part of your site you want
protected. The only disadvantage is that the password the user types in
is transmitted en clair and so can, in principle, be captured by a
network snooper. If you're worried about snoopers, switching on SSL
before the password challenge means that the password is transmitted
encrypted, but if you then switch off SSL, the data that the user enters
and downloads is en clair again and the snooper can see the data anyway.
I see SSL and password-access as addressing two different concerns:
- SSL provides a secure tunnel between server and client and allows the
secure transfer of data which cannot be captured by a snooper. This is
required, for example, when you send your credit card details to a shop
or when you download your account details from the bank.
- password-access restricts access to your site to a closed group of
users. This is required if you are providing data which is not to be
viewed by the general public, for example, a section containing company
information for employees of your organisation.
You can, of course, combine the two, but then I would tend to keep the
whole restricted directory under SSL.
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
