>>>>> "JJH" == J J Horner <[EMAIL PROTECTED]> writes:
JJH> I have need of a module that will redirect to https anytime
JJH> basic authentication is required.
JJH> I figure the best way to do this is to step in at the authentication
JJH> phase, and should authentication be required and the method be http,
JJH> redirect to https for any and all basic authentication traffic. Perhaps
JJH> after this, redirect to http, if desired.
JJH> Any comments or suggestions?
The problem here is that once you're authenticated via basic auth,
your ID/password is passed on *every* request back to that server. I
don't think you can distinguish easily when it is not needed any more
to redirect to the non-secured server.
What I do in one of my applications is to use Apache::AuthCookie and
set the cookie to not require a secure connection. Then I use
mod_rewrite to shuttle people back and forth so I don't need to
hard-code the full URL in all the pages.
Something like this:
# handle static content directly in whatever mode
RewriteRule \.(gif|jpg|png|css|txt|pdf|cgi|html|js|ico)$ - [last]
# make sure we're in SSL mode when inside register or manage, and not
# SSL mode otherwise, except for images. Those need to be the same.
RewriteRule ^/(manage|register)/(.*) https://%{SERVER_NAME}/$1/$2 [last]
and in the SSL virtual-host context:
# handle static content directly in whatever mode
RewriteRule \.(gif|jpg|png|css|txt|pdf|cgi|html|js|ico)$ - [last]
# leave alone manage* and register/* requests, and the special LOGIN/OUT
# locations, and the redirector until we're done redirecting
RewriteCond %{REQUEST_URI} !^/(rd$|LOG|manage|register/)
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [nosubreq,last]
This fails if you POST to a url that should be https from a non-https
page if you don't hard-code the URL to go directly to the https
variant.
This makes web design quite easy, and links are all relative, etc.
The cost is one redirect on the switchover.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
