Hi Chris,
I need to redirect all my http requests to the login_form of the CookieCrumble to https, so, I wrote this rule in apache:
Why bother? Just because the form is secure doesn't make cookie authentication any more secure. Yes, you're right. That is exactly the conclusion I also figured out after finding an interesting article in plone.org, which talks about this:
* Secure login without plain text passwords http://plone.org/documentation/how-to/secure-login-without-plain-text-passwo... The only Problem is that the product mentioned there, SessionCrumbler, is based on the CMF CookieCrumbler and not the Standalone version. I guess it wouldn't be difficult to port; I even tried it by replacing the CMF imports by the Standalone version, but it didn't work. Zope hangt and I even didn't get a TraceBack. Anyway, I'm not going to spend more time trying to get this working. I will perhaps try to do some patch to the basic http authentication like CookieCrumbler does, but instead of showing the login forms, I want to do a redirect if the request is insecure, so, you will still get the popup window, but in https.
Do you say in https once authenticated?
Yes, the problem, if you read my post was that with the apache RewriteRule, I could authenticated myself in ssl, but after that the browser took me back again to http -> See the article; it exposes clearly the problem. Regards Josef