It's not the prettiest in the world, but try this (see attached file). If anyone sees room for improvement, please, chime in. It's working fine on the intranet site I run at work - and I haven't tried to make it any better since it's working as is. You use this script instead of the loginscreen method of AuthTicket. It uses the http-equiv refresh when switch schemes since going from https to http causes most browsers to popup a warning about getting redirected to an insecure site.
Here are my relevant httpd.conf settings: PerlSetVar realmTicketLoginHandler /LOGIN PerlSetVar realmTicketLogoutURI / PerlSetVar realmLoginScript /login Alias /login /v01/data/web/auth/login <Location /login> Options ExecCGI SetHandler perl-script PerlHandler Apache::Registry </Location> <Location /LOGIN> <IfDefine SSL> SSLRequireSSL </IfDefine> SetHandler perl-script PerlHandler Apache::AuthTicket->login </Location> --Jim > -----Original Message----- > From: Brian Reichert [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 13, 2002 1:13 PM > To: Michael Schout > Cc: Brian Reichert; [EMAIL PROTECTED] > Subject: Re: PerlSetVar WhatEverSecure > > > On Thu, Jun 13, 2002 at 10:40:18AM -0500, Michael Schout wrote: > > Brian Reichert wrote: > > > > > > > > <Location /formscript/login> > > > PerlSetVar FormScriptSecure 1 > > > AuthType Apache::AuthTicket > > > ... > > > </Location> > > > > > > But, in each case, my login program is server in the > clear. What am > > > I missing? > > > > THe authnameSecure setting only affects the cookie. If you want to > > forbid access to the login form from non-ssl, there are > verious ways to > > do that. One way would be to add "SSLRequireSSL" that > block (assuming > > your using mod_ssl). > > Apache::AuthTicket says: > > Finally, by using the Secure mode of Apache::AuthCookie, the > ticket is not passed over unencrypted connections. > > Passed in what direction? > > It would only go server->client if the client made a SSL request. > > With the 'FormScriptSecure' as I have it above, I _can_ log > in over a non-encrypted channel, so clearly it's not > enforcing the 'secure' criteria... > > (Still reading up on cookies...) > > I suppose my real question is: > > How can I intercept a unencrypted request for a protected > document, but have the login form be submitted over an > encrypted channel? > > (Thanks for the feedback, by the way...) > > > > > Regards, > > Mike > > > > -- > Brian 'you Bastard' Reichert <[EMAIL PROTECTED]> > 37 Crystal Ave. #303 Daytime number: (603) 434-6842 > Derry NH 03038-1713 USA Intel > architecture: the left-hand path >
login
Description: Binary data