It's not the prettiest in the world, but try this (see attached file). If anyone sees room for improvement, please, chime in. It's working fine on the intranet site I run at work - and I haven't tried to make it any better since it's working as is. You use this script instead of the loginscreen method of AuthTicket. It uses the http-equiv refresh when switch schemes since going from https to http causes most browsers to popup a warning about getting redirected to an insecure site.
Here are my relevant httpd.conf settings:
PerlSetVar realmTicketLoginHandler /LOGIN
PerlSetVar realmTicketLogoutURI /
PerlSetVar realmLoginScript /login
Alias /login /v01/data/web/auth/login
<Location /login>
Options ExecCGI
SetHandler perl-script
PerlHandler Apache::Registry
</Location>
<Location /LOGIN>
<IfDefine SSL>
SSLRequireSSL
</IfDefine>
SetHandler perl-script
PerlHandler Apache::AuthTicket->login
</Location>
--Jim
> -----Original Message-----
> From: Brian Reichert [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 13, 2002 1:13 PM
> To: Michael Schout
> Cc: Brian Reichert; [EMAIL PROTECTED]
> Subject: Re: PerlSetVar WhatEverSecure
>
>
> On Thu, Jun 13, 2002 at 10:40:18AM -0500, Michael Schout wrote:
> > Brian Reichert wrote:
> >
> > >
> > > <Location /formscript/login>
> > > PerlSetVar FormScriptSecure 1
> > > AuthType Apache::AuthTicket
> > > ...
> > > </Location>
> > >
> > > But, in each case, my login program is server in the
> clear. What am
> > > I missing?
> >
> > THe authnameSecure setting only affects the cookie. If you want to
> > forbid access to the login form from non-ssl, there are
> verious ways to
> > do that. One way would be to add "SSLRequireSSL" that
> block (assuming
> > your using mod_ssl).
>
> Apache::AuthTicket says:
>
> Finally, by using the Secure mode of Apache::AuthCookie, the
> ticket is not passed over unencrypted connections.
>
> Passed in what direction?
>
> It would only go server->client if the client made a SSL request.
>
> With the 'FormScriptSecure' as I have it above, I _can_ log
> in over a non-encrypted channel, so clearly it's not
> enforcing the 'secure' criteria...
>
> (Still reading up on cookies...)
>
> I suppose my real question is:
>
> How can I intercept a unencrypted request for a protected
> document, but have the login form be submitted over an
> encrypted channel?
>
> (Thanks for the feedback, by the way...)
>
> >
> > Regards,
> > Mike
> >
>
> --
> Brian 'you Bastard' Reichert <[EMAIL PROTECTED]>
> 37 Crystal Ave. #303 Daytime number: (603) 434-6842
> Derry NH 03038-1713 USA Intel
> architecture: the left-hand path
>
login
Description: Binary data
