You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Martin Moss <ma...@btopenworld.com> on 2004/11/10 18:06:09 UTC
Authentication using https
All,
I'm about to replace the authentication mechanism that
our web site uses. However I wanted to sanity check my
thought process.
Is it possible to have an Authen handler sitting on
certain areas of a site, and if a user isn't logged in
(i.e. doesn't have an auth session cookie) we present
them with a form. (I can do this, but the next bit is
new to me). Then when they send their details, i.e.
username and password, they go over an SSL connection,
which provided they are correct, then shows the page
the user originally wanted?
Basically I have a mechanism working that does this
without the SSL, but can I update it to use an SSL
connection for the login form submit?
Marty
___________________________________________________________
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authentication using https
Posted by David Nicol <da...@gmail.com>.
while you're at it you might take a look at the kerberos-like AIS
infrastructure,
which does not at this time use apache extensions at all but which provides
passwordless e-mail-based SSO
over an arbitrarily wide domain.
--
David L Nicol
"It's what God and Dwight Eisenhower intended,
and it's what I use today." -- Gerald Combs, talking about 8.5x11 paper
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authentication using https
Posted by Martin Moss <ma...@btopenworld.com>.
Cheers Fellas, this was the bit I was concerned about.
Apache::AuthCookie, looked a little bloated to me,
however I'm a big fan of only inventying new types of
wheels not old so I'll revisit...
Regards
Marty
--- Michael J Schout <ms...@gkg.net> wrote:
> On Wed, 10 Nov 2004, Skylos wrote:
>
> > it could go...
> >
> > -> GET content from myserver port 80
> > <- 403 errordocument login form
> > -> POST credentials to myserver port 443
> > <- Location http://myserver/content
> > <- Set-Cookie: ticket=gooduser; Domain=myserver;
> Path=content;
> > -> GET content from myserver port 80
> > <- 403 errordocument login form
> >
> > And the question would be... Why would the browser
> say GET without the
> > cookie attached?
> >
> > It could be... because it didn't get the cookie
> from myserver:80 - it
> > got it from myserver:443 - and the security
> settings of the browser
> > say, 'enable only for the originating web server'
>
> The port numbers do not matter at all. There are a
> number of things you
> need to be aware of for cookies to work properly in
> this scenario.
>
> - If you want the cookie to be presented over
> non-SSL connections, you
> need to make sure that AuthNameSecure is not
> turned on in AuthCookie.
> The "Secure" setting tells the browser to only
> send the cookie over
> SSL connections.
>
> - If your using MSIE, you also need to properly
> create a P3P policy,
> otherwise MSIE might not return the cookie
> (depending on security
> settings). The way you create a P3P policy is
> beyond the scope of
> this email. In AuthCookie you can do this with
> something like:
>
> PerlSetVar AuthNameP3P "CP=\"ALL DSP ...\""
>
> but you need to read up on P3P to know what the
> value should be.
>
> But there is no problem issuing cookies on HTTPS and
> having the browser
> return them over non SSL provided that the "Domain"
> paramter of the
> cookie is properly set, and the "Secure" setting is
> turned off.
>
> Regards,
> Michael Schout
>
> --
> Report problems: http://perl.apache.org/bugs/
> Mail list info:
> http://perl.apache.org/maillist/modperl.html
> List etiquette:
> http://perl.apache.org/maillist/email-etiquette.html
>
>
___________________________________________________________
Moving house? Beach bar in Thailand? New Wardrobe? Win 10k with Yahoo! Mail to make your dream a reality.
Get Yahoo! Mail http://uk.mail.yahoo.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authentication using https
Posted by Michael J Schout <ms...@gkg.net>.
On Wed, 10 Nov 2004, Skylos wrote:
> it could go...
>
> -> GET content from myserver port 80
> <- 403 errordocument login form
> -> POST credentials to myserver port 443
> <- Location http://myserver/content
> <- Set-Cookie: ticket=gooduser; Domain=myserver; Path=content;
> -> GET content from myserver port 80
> <- 403 errordocument login form
>
> And the question would be... Why would the browser say GET without the
> cookie attached?
>
> It could be... because it didn't get the cookie from myserver:80 - it
> got it from myserver:443 - and the security settings of the browser
> say, 'enable only for the originating web server'
The port numbers do not matter at all. There are a number of things you
need to be aware of for cookies to work properly in this scenario.
- If you want the cookie to be presented over non-SSL connections, you
need to make sure that AuthNameSecure is not turned on in AuthCookie.
The "Secure" setting tells the browser to only send the cookie over
SSL connections.
- If your using MSIE, you also need to properly create a P3P policy,
otherwise MSIE might not return the cookie (depending on security
settings). The way you create a P3P policy is beyond the scope of
this email. In AuthCookie you can do this with something like:
PerlSetVar AuthNameP3P "CP=\"ALL DSP ...\""
but you need to read up on P3P to know what the value should be.
But there is no problem issuing cookies on HTTPS and having the browser
return them over non SSL provided that the "Domain" paramter of the
cookie is properly set, and the "Secure" setting is turned off.
Regards,
Michael Schout
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authentication using https
Posted by Skylos <sk...@gmail.com>.
Michael, I'm sorry but I don't believe that is correct. Having
recently implimented a Apache::AuthCookie system, I can see a possible
issue with this strategy. Please feel free to enlighten me if I am
full of shit.
First of all, there's nothing stopping you from submitting your login
form to an https url. Thats not really the problem at all.
The problem you're probably going to run into has to do with cookies,
and user browsers, and domain names.
I'll assume the https and the http server have identical domain names,
obviating that possibl eproblem. If they were different with no
Domain parameter, or did not both match the Domain parameter of the
cookie, it wouldn't ever work, but I'm sure you know that.
When you set up your cookie, what is the Domain or host, and path
settings? Are you explicitly defining them? Does the domain and path
match A. where the cookie is set AND B. where the cookie is being
used? And in the end, does the browser send it?
it could go...
-> GET content from myserver port 80
<- 403 errordocument login form
-> POST credentials to myserver port 443
<- Location http://myserver/content
<- Set-Cookie: ticket=gooduser; Domain=myserver; Path=content;
-> GET content from myserver port 80
<- 403 errordocument login form
And the question would be... Why would the browser say GET without the
cookie attached?
It could be... because it didn't get the cookie from myserver:80 - it
got it from myserver:443 - and the security settings of the browser
say, 'enable only for the originating web server'
A workaround might be... on secure submission of the credentials
generate a hash that is verifiable on the https side, redirect the
user to the http side with that hash in the querystring to a
setting-cookies script that reads the hash out of the query string,
verifies it, then sets the cookie, THEN redirects the user to the
actual content.
Implimentation is left as an excersize to the questioner. Or a later
question. ;)
Skylos
On Wed, 10 Nov 2004 13:28:07 -0800, Michael <mi...@insulin-pumpers.org> wrote:
> > All,
> >
> > I'm about to replace the authentication mechanism that
> > our web site uses. However I wanted to sanity check my
> > thought process.
> >
> > Is it possible to have an Authen handler sitting on
> > certain areas of a site, and if a user isn't logged in
> > (i.e. doesn't have an auth session cookie) we present
> > them with a form. (I can do this, but the next bit is
> > new to me). Then when they send their details, i.e.
> > username and password, they go over an SSL connection,
> > which provided they are correct, then shows the page
> > the user originally wanted?
> >
> > Basically I have a mechanism working that does this
> > without the SSL, but can I update it to use an SSL
> > connection for the login form submit?
> >
> > Marty
> >
>
> see Apache-AuthCookie
>
> I believe everything you want is implemented in this package
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authentication using https
Posted by John Wittkoski <jo...@aol.com>.
Michael wrote on 11/10/04, 4:28 PM:
> > All,
> >
> > I'm about to replace the authentication mechanism that
> > our web site uses. However I wanted to sanity check my
> > thought process.
> >
> > Is it possible to have an Authen handler sitting on
> > certain areas of a site, and if a user isn't logged in
> > (i.e. doesn't have an auth session cookie) we present
> > them with a form. (I can do this, but the next bit is
> > new to me). Then when they send their details, i.e.
> > username and password, they go over an SSL connection,
> > which provided they are correct, then shows the page
> > the user originally wanted?
> >
> > Basically I have a mechanism working that does this
> > without the SSL, but can I update it to use an SSL
> > connection for the login form submit?
> >
> > Marty
> >
>
> see Apache-AuthCookie
>
> I believe everything you want is implemented in this package
>
Marty,
Apache-AuthCookie does provide a mechanism similar to what you
described. It sounds like you've already designed an Apache-AuthCookie
clone. :-)
However, Apache-AuthCookie will not protect the initial submission of
the password from being snooped.
Assuming that you already have your Apache server set up to use SSL, you
should be able to put the login form verification script in an
appropriate place served by the SSL config, and just point the login
form action to that script. Then the script would redirect the user back
to the original non-SSL page (if the login credentials were verified, of
course.)
I'm assuming here that the same Apache instance is listening for non-SSL
and SSL. (This is the default if mod_ssl is enabled.) If you have
independent Apache instances running on 80 and 443 (possible but
unlikely), or your SSL-ified Apache is on a different box, this may
cause problems, depending on how your login script works.
--John
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authentication using https
Posted by Michael <mi...@insulin-pumpers.org>.
> All,
>
> I'm about to replace the authentication mechanism that
> our web site uses. However I wanted to sanity check my
> thought process.
>
> Is it possible to have an Authen handler sitting on
> certain areas of a site, and if a user isn't logged in
> (i.e. doesn't have an auth session cookie) we present
> them with a form. (I can do this, but the next bit is
> new to me). Then when they send their details, i.e.
> username and password, they go over an SSL connection,
> which provided they are correct, then shows the page
> the user originally wanted?
>
> Basically I have a mechanism working that does this
> without the SSL, but can I update it to use an SSL
> connection for the login form submit?
>
> Marty
>
see Apache-AuthCookie
I believe everything you want is implemented in this package
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html