Joshua, Thanks for responding. I had planned on looking into AuthDigest anyway, so I'll go ahead and do that. If I end up using AuthDigest, would it then make sense to only use SSL when actually logging in?
Also, just for sake of knowledge, how should I go about adding a Rewrite to my SSL host to redirect me to the non-SSL host once I've logged in? Thanks! -- BTR On Dec 16, 2007 11:01 AM, Joshua Slive <[EMAIL PROTECTED]> wrote: > On Dec 16, 2007 12:17 PM, Bryan Richardson <[EMAIL PROTECTED]> wrote: > > Hello all, > > > > I've set up a Trac site on my server, and I'm trying to configure it > such > > that when a user attempts to login, SSL is used. I *think* I've > configured > > my rewrites correctly (see below), but after the login occurs the site > is > > still using SSL. I only want to use SSL for the actual act of logging > in, > > and nothing else. Can anyone help me with this? See my site > configuration > > files below for what I have so far. Thanks! > > Basic auth doesn't work that way. The userid and password are > transmitted on EVERY request, not just the when you see the prompt in > the browser. (The browser memorizes the userid/password and resends it > as required.) > > So if you want secure authentication with basic, everything needs to > be under SSL. > > If you don't want that, your alternatives are digest auth (which is > somewhat more secure than basic) and cookie-based session management. > Cookies are the technique used by most major websites, but they aren't > provided in the standard apache install (because there is no single > standard way to implement cookie-based auth). > > To answer your original question of why you aren't redirected back, > its because you didn't add a Rewrite in your SSL host to send you back > to your non-SSL host. But for the above reasons, you don't want to do > that. > > > > > P.S. Can anyone tell me what SSLRequireSSL does and if it's actually > > necessary? > > It denies any request that is not over an SSL connection. The way you > used it makes no sense because it only applies to requests served by > the SSL vhost, which are obviously under SSL. The typical way to use > it is to put it in the main server config (outside any vhost) to make > sure that requests for certain directories are only served by the SSL > vhost. > > Joshua. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
