Getting back to the original subject: Assuming you're doing standard HTTP Authentication, it doesn't work > that way. Once you get the login popup, every subsequent request by > the browser sends the same authentication token (username & password > in clear text) to the server. >
You're right - the Authentication: header is sent back on subsequent requests. However I have done some testing with mod_forensic to log which headers the client is sending. These are my findings: 1. User goes to a page which requires authentication over SSL https://mysite/securedir/ - prompted for user/pass. Authorization: header added with base64 encoded string 2. User visits any other pages on same server, over SSL Eg: https://mysite.tld/some-other-dir/ and Authorization: header stays with them. Browser keeps sending it. That's OK. 3. User clicks on a link back to the port 80 version of the site. http://mysite.tld/index.html - The browser no longer seems to send the Authorization: header . It sees the http and https sites as different sites. If this is the case, then would the following approach work? 1) If detect .htaccess redirect to SSL version of site 2) user authenticates over SSL and accesses the pages they are interested in. 3) At some point, they click a menu link etc, and go back to port 80 and password is not exposed. Paul > Hence, doing SSL for the first request doesn't really add to your > security since all the other requests would send the username & > password in clear text (some people think the user & pass are > "encrypted" but it's really just base64 encoding). > > -- > Aaron Turner > http://synfin.net/ > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > -- Paul Reilly Systems Group IS Services Trinity College Dublin e: paul.rei...@tcd.ie p: +353-1-896-2152
