Firstly, I apologise if this is not the correct group for this question.
I am using Apache 1.3.11 mod_ssl 2.5.0 and Jrun servlet engine. I want to be
able to secure parts of my
site by using URL re-writes of the form:
RewriteCond %{HTTPS} !=on
RewriteRule ^/my_account/(.*\.shtml)$ https://secure.server.com:8443/my_account/$1
[R,L]
RewriteRule ^/servlet/AccountServlet
https://secure.server.com:8443/servlet/AccountServlet
[R]
This enables parts of the site to be SSL enabled as the site develops without
coding explicit https:// links. (Also, if I do
use explicit https:// links then my session info is not shared with the normal
http:// parts, which is unacceptable).
The above re-write method does cause the browser to say "you are requesting
a secure page blah blah" but does not update
the URL window and does not lock the padlock. Clicking on page properties shows
the https:// URL and the certificates, clicking on the padlock says the page
is NOT secure.
Curiously, mod_rewrite does force a browser to change its URL window in the
case of:
RewriteCond %{HTTP_HOST} !^www\.server.\com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://www.server.com/$1 [L,R]
Any ideas on how to persuade the browsers to be consistent in their user-feedback
of SSL state?
This applies to both Netscape 4.7 and IE 5
Any help greatly appreciated
Steve Allman
--------------------------
Sent over VO WebMail
http://www.vo.lu
http://webmail.vo.lu
http://www.connect.lu
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
