Martin,
You can avoid some redirection by having a non-HTTPS form which submits
to the HTTPS login page (although users might worry, no padlock icon).
Otherwise it's perfectly reasonable to redirect to a secure login. On
successful login simple 403 the user back to the page they wanted.
That's just one 403 per request.
Finally set "ErrorDocument 401 /your/login/page" on the HTTPS site -
note its a relative URL so the redirect is done internally.
This is good behavious IMHO, it means a failed login page won't be
cached by anything or treating as a hit in the web stats.
(when using customer ErrorDocument remember Internet Exploder will only
display a custom error doc if its size is >512 bytes)
John
Martin Moss wrote:
All,
During the Authentication phase, Any custom responses
that need to be sent back to a user, MUST be sent with
FORBIDDEN using custom_repsonse?
Under Authentication 200 (OK) simply lets Apache Move
on the to the next phase (authz, content etc..)...
I have an authen handler which uses cookies.. and only
accepts username and password submits under https...
I'm getting grief from our sysadmin that there's too
many 403's being served...
1) to redirect the user from their http request to a
https page..
2) custom response showing the login page
3) redirect user to original http page
so 3 403's when a user has no valid cookie....
Is this abnormal? Is there anything I could do to
reduce this?
Marty
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
