You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by ericdraven <er...@schwagerus.de> on 2009/10/29 11:46:57 UTC

[users@httpd] How to Redirect to https after login?

Hello,

I need some expert help on the following configuration task:

I have a startpage with a standard login form. After a user logs in, he
should be 
redirected to use https for the rest of the session.
When I use a rewrite rule as shown below,
RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
the parameters get lost, because the request is translated to a GET request.
What do I need to do, to fix this problem?
Many thanx in advance
    Erik

<VirtualHost *:49080>
   ServerName staging.xxx.com
   ServerAlias xxx.com xxx.de 
   DocumentRoot "/xxx/htdocs/"
   DirectoryIndex index.gsp index.html
   CustomLog /weblog/httpd/access.log combined

   # Define error doc when tomcat is down
   ErrorDocument 503 /error/503.html

   # Define the proxy connection to tomcat listening on port 49888
   ProxyRequests Off
   # Define an exception for the path to apache error pages
   ProxyPass /error !
   # Route all requests to tomcat
   ProxyPass / ajp://127.0.0.1:49888/

   # Collection of rewrite rules
   RewriteEngine On

   RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
</VirtualHost>

-- 
View this message in context: http://www.nabble.com/How-to-Redirect-to-https-after-login--tp26110773p26110773.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by ericdraven <er...@schwagerus.de>.

I already tried this but it doesn't help, because the login- form uses the
POST method to transfer the data and there is no query string.


Krist van Besien wrote:
> 
> On Thu, Oct 29, 2009 at 11:46 AM, ericdraven <er...@schwagerus.de> wrote:
>>
>> Hello,
>>
>> I need some expert help on the following configuration task:
>>
>> I have a startpage with a standard login form. After a user logs in, he
>> should be
>> redirected to use https for the rest of the session.
> 
> That's a rather odd requirement. Normally the requirement is to be
> redirected to https _before_ logging in. It is, after all, the login
> data, that you need to protect.
> 
> 
>> When I use a rewrite rule as shown below,
>> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
>> the parameters get lost, because the request is translated to a GET
>> request.
>> What do I need to do, to fix this problem?
> 
> Use the QSA flag, so the query string doesn't get lost.
> 
> Krist
> 
> 
> 
> -- 
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/How-to-Redirect-to-https-after-login--tp26110773p26112248.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by Eric Covener <co...@gmail.com>.

>>
>> OP is redirecting a POST, which is something to be avoided.
>
> Why should a redirect after POST be avoided?

It's hairy, and the HTTP/1.1 RFC talks about potential confusion about
whether the client will re-submit the POST to the new URL [after
prompting the user] or send a GET to the new URL.

I also believe there are IE bugs in this area where it drops the body
but retains the Content-Length on the redirect.

>
>> A simple
>> HTML redirect in the output of the form-based login makes a lot of
>> sense.
>
> Why? It makes the process dependent on the browser, which should be avoided.

A redirect is just as dependent.  This allows the request to run to
completion, processing the post body, before doing any kind of
redirect.  You could also modify whatever processes the form-based
login, but that's more complicated.

You shouldn't depend on either mechanism to enforce that the requests
on the other side of the URL are protected by SSL, so IMO there's no
exposure to using the HTML.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by Octavian Râsnita <or...@gmail.com>.

From: "Eric Covener" <co...@gmail.com>
>>> When I use a rewrite rule as shown below,
>>> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
>>> the parameters get lost, because the request is translated to a GET 
>>> request.
>>> What do I need to do, to fix this problem?
>>
>> Use the QSA flag, so the query string doesn't get lost.
>
> QSA only does anything when you're explicitly adding a query string in
> your substitution.
>
> OP is redirecting a POST, which is something to be avoided.

Why should a redirect after POST be avoided?

> A simple
> HTML redirect in the output of the form-based login makes a lot of
> sense.

Why? It makes the process dependent on the browser, which should be avoided.

Thanks.

Octavian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by Eric Covener <co...@gmail.com>.

>> When I use a rewrite rule as shown below,
>> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
>> the parameters get lost, because the request is translated to a GET request.
>> What do I need to do, to fix this problem?
>
> Use the QSA flag, so the query string doesn't get lost.

QSA only does anything when you're explicitly adding a query string in
your substitution.

OP is redirecting a POST, which is something to be avoided.  A simple
HTML redirect in the output of the form-based login makes a lot of
sense.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by Krist van Besien <kr...@gmail.com>.

On Thu, Oct 29, 2009 at 2:19 PM, Octavian Râsnita <or...@gmail.com> wrote:

>> That's a rather odd requirement. Normally the requirement is to be
>> redirected to https _before_ logging in. It is, after all, the login
>> data, that you need to protect.
>>
>
> Isn't OK if the login form uses an action="https://..." attribute?

In that case you don't need the redirect the OP asked for.

Krist



-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by Octavian Râsnita <or...@gmail.com>.

From: "Krist van Besien" <kr...@gmail.com>
> On Thu, Oct 29, 2009 at 11:46 AM, ericdraven <er...@schwagerus.de> wrote:
>>
>> Hello,
>>
>> I need some expert help on the following configuration task:
>>
>> I have a startpage with a standard login form. After a user logs in, he
>> should be
>> redirected to use https for the rest of the session.
>
> That's a rather odd requirement. Normally the requirement is to be
> redirected to https _before_ logging in. It is, after all, the login
> data, that you need to protect.
>

Isn't OK if the login form uses an action="https://..." attribute?

The request would be made using HTTPS, not HTTP, so it should be protected, 
no matter that the original page was using HTTP.

Thanks.

Octavian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to Redirect to https after login?

Posted by Krist van Besien <kr...@gmail.com>.

On Thu, Oct 29, 2009 at 11:46 AM, ericdraven <er...@schwagerus.de> wrote:
>
> Hello,
>
> I need some expert help on the following configuration task:
>
> I have a startpage with a standard login form. After a user logs in, he
> should be
> redirected to use https for the rest of the session.

That's a rather odd requirement. Normally the requirement is to be
redirected to https _before_ logging in. It is, after all, the login
data, that you need to protect.


> When I use a rewrite rule as shown below,
> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
> the parameters get lost, because the request is translated to a GET request.
> What do I need to do, to fix this problem?

Use the QSA flag, so the query string doesn't get lost.

Krist



-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org