On Thu, Jun 13, 2002 at 10:40:18AM -0500, Michael Schout wrote: > Brian Reichert wrote: > > > > > <Location /formscript/login> > > PerlSetVar FormScriptSecure 1 > > AuthType Apache::AuthTicket > > ... > > </Location> > > > > But, in each case, my login program is server in the clear. What am I > > missing? > > THe authnameSecure setting only affects the cookie. If you want to > forbid access to the login form from non-ssl, there are verious ways to > do that. One way would be to add "SSLRequireSSL" that block (assuming > your using mod_ssl).
Apache::AuthTicket says: Finally, by using the Secure mode of Apache::AuthCookie, the ticket is not passed over unencrypted connections. Passed in what direction? It would only go server->client if the client made a SSL request. With the 'FormScriptSecure' as I have it above, I _can_ log in over a non-encrypted channel, so clearly it's not enforcing the 'secure' criteria... (Still reading up on cookies...) I suppose my real question is: How can I intercept a unencrypted request for a protected document, but have the login form be submitted over an encrypted channel? (Thanks for the feedback, by the way...) > > Regards, > Mike > -- Brian 'you Bastard' Reichert <[EMAIL PROTECTED]> 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path