Hi, I have read all the various documents and howtos regarding setting zope with apache and SSL, and I set it up. I have two virtual servers, http and https, serving the same hierarchy of zope objects. I would llike to secure passwords by using SSL. It is suggested everywhere I read that the protection should be done with RewriteRule or similar, by filtering urls. For example, I use RewriteRule match like ^manage(.*) and another to see if the protocol is insecure to redirect such requests to the same URL, but over https. Else, I can use solutions like SSLAbsoluteURL to adjust behavior of absolute_url() This, however, seems unsatisfactory. RewriteRules or url base manipulation cannot guarantee that the site visitor would not run into a protected object. In this case, the server returns "Unauthorized" response, the browser pops up the basic http authorisation dialog and login/password travel in the open. Looking at the CookieCrumbler product, I realise that before anything gets published it "highjacks" the RESPONSE object and manipulates it, including removing "Unauthorized" and redirecting to a login form. I hope somebody has time to answer two questions: How legitimate would it be to do the same, but to make external redirect via https? I understand that this might mean a lot of nasty things, including being locked out of Zope, but this can be dealt with, for example, _emergency_user. Assume I make a hypothetical SSLRedirect product, modelled on CookieCrumbler. There is no reasonable way to keep them in the same folder and make sure that SSLRedirect gets to the REQUEST/RESPONSE before CookieCrumbler, correct? I.e. such SSLRedirect product would have to be in a subfolder relative to CookieCrumbler so that it gets traversed first. Thanks in advance, Regards, Serguei