Re: PerlSetVar WhatEverSecure
On Thu, Jun 13, 2002 at 09:42:41PM -0700, Jim Helm wrote: It's not the prettiest in the world, but try this (see attached file). Thanks for the pointers; I'll give it a look-over... -- Brian 'you Bastard' Reichert[EMAIL PROTECTED] 37 Crystal Ave. #303Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path
Re: PerlSetVar WhatEverSecure
On Thu, 13 Jun 2002, Brian Reichert wrote: Apache::AuthTicket says: Finally, by using the Secure mode of Apache::AuthCookie, the ticket is not passed over unencrypted connections. Passed in what direction? Client - server. rfc2109 says: Secure Optional. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie. The user agent (possibly under the user's control) may determine what level of security it considers appropriate for secure cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents. see http://www.ietf.org/rfc/rfc2109.txt It would only go server-client if the client made a SSL request. No. Your browser should not return the cookie to the server if the connection is not secure (meaning encrypted via SSL in practicality). The converse is not true. The cookie *WILL* be sent from server to your browser. If your browser misbehaves with it by returning it over a non-ssl connection, then your browser is broken and theres nothing AuthCookie can do to prevent that. I suppose my real question is: How can I intercept a unencrypted request for a protected document, but have the login form be submitted over an encrypted channel? THere are lots of ways to do this. One way that comes to mind is using mod_rewrite to check of the user is in HTTPS mode or not, and if not, then redirect them to HTTPS. Mike
Re: PerlSetVar WhatEverSecure
Brian Reichert wrote: Location /formscript/login PerlSetVar FormScriptSecure 1 AuthType Apache::AuthTicket ... /Location But, in each case, my login program is server in the clear. What am I missing? THe authnameSecure setting only affects the cookie. If you want to forbid access to the login form from non-ssl, there are verious ways to do that. One way would be to add SSLRequireSSL that block (assuming your using mod_ssl). Regards, Mike
Re: PerlSetVar WhatEverSecure
On Thu, Jun 13, 2002 at 10:40:18AM -0500, Michael Schout wrote: Brian Reichert wrote: Location /formscript/login PerlSetVar FormScriptSecure 1 AuthType Apache::AuthTicket ... /Location But, in each case, my login program is server in the clear. What am I missing? THe authnameSecure setting only affects the cookie. If you want to forbid access to the login form from non-ssl, there are verious ways to do that. One way would be to add SSLRequireSSL that block (assuming your using mod_ssl). Apache::AuthTicket says: Finally, by using the Secure mode of Apache::AuthCookie, the ticket is not passed over unencrypted connections. Passed in what direction? It would only go server-client if the client made a SSL request. With the 'FormScriptSecure' as I have it above, I _can_ log in over a non-encrypted channel, so clearly it's not enforcing the 'secure' criteria... (Still reading up on cookies...) I suppose my real question is: How can I intercept a unencrypted request for a protected document, but have the login form be submitted over an encrypted channel? (Thanks for the feedback, by the way...) Regards, Mike -- Brian 'you Bastard' Reichert[EMAIL PROTECTED] 37 Crystal Ave. #303Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path
RE: PerlSetVar WhatEverSecure
It's not the prettiest in the world, but try this (see attached file). If anyone sees room for improvement, please, chime in. It's working fine on the intranet site I run at work - and I haven't tried to make it any better since it's working as is. You use this script instead of the loginscreen method of AuthTicket. It uses the http-equiv refresh when switch schemes since going from https to http causes most browsers to popup a warning about getting redirected to an insecure site. Here are my relevant httpd.conf settings: PerlSetVar realmTicketLoginHandler /LOGIN PerlSetVar realmTicketLogoutURI / PerlSetVar realmLoginScript /login Alias /login /v01/data/web/auth/login Location /login Options ExecCGI SetHandler perl-script PerlHandler Apache::Registry /Location Location /LOGIN IfDefine SSL SSLRequireSSL /IfDefine SetHandler perl-script PerlHandler Apache::AuthTicket-login /Location --Jim -Original Message- From: Brian Reichert [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 1:13 PM To: Michael Schout Cc: Brian Reichert; [EMAIL PROTECTED] Subject: Re: PerlSetVar WhatEverSecure On Thu, Jun 13, 2002 at 10:40:18AM -0500, Michael Schout wrote: Brian Reichert wrote: Location /formscript/login PerlSetVar FormScriptSecure 1 AuthType Apache::AuthTicket ... /Location But, in each case, my login program is server in the clear. What am I missing? THe authnameSecure setting only affects the cookie. If you want to forbid access to the login form from non-ssl, there are verious ways to do that. One way would be to add SSLRequireSSL that block (assuming your using mod_ssl). Apache::AuthTicket says: Finally, by using the Secure mode of Apache::AuthCookie, the ticket is not passed over unencrypted connections. Passed in what direction? It would only go server-client if the client made a SSL request. With the 'FormScriptSecure' as I have it above, I _can_ log in over a non-encrypted channel, so clearly it's not enforcing the 'secure' criteria... (Still reading up on cookies...) I suppose my real question is: How can I intercept a unencrypted request for a protected document, but have the login form be submitted over an encrypted channel? (Thanks for the feedback, by the way...) Regards, Mike -- Brian 'you Bastard' Reichert [EMAIL PROTECTED] 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path login Description: Binary data