SSL Redirect for CookieCrumbler
Dear Zopers I need to redirect all my http requests to the login_form of the CookieCrumble to https, so, I wrote this rule in apache: RewriteRule ^/login/login_form(.*) https://server/login/login_form$1 [NE,L] It authenticates me through ssl, but then it cames back to http. I saw that the problem is that the came_from variable refers to the original http request; something like this: https://server/login/login_form?came_from=http%3A//server/page&retry=&disabl e_cookie_login__=1 Is there any way of writing something like this in apache? RewriteRule ^/login/login_form?came_from=http%3A(.*) https://server/login/login_form?came_from=https%3A$1 [NE,L] It is not working for me :-(. I even tried escaping the '%' with a backslash like this: RewriteRule ^/login/login_form?came_from=http\%3A(.*) https://server/login/login_form?came_from=https%3A$1 [NE,L] But Apache doesn't match the rule. What's wrong with that? Anyway, another thing that bothers me about the last approach is that I even don't know if there is always a "came_from" variable. Is this always the case? Is there any other way of achieving this? Regards Josef
I need to redirect all my http requests to the login_form of the CookieCrumble to https, so, I wrote this rule in apache:
RewriteRule ^/login/login_form(.*) https://server/login/login_form$1 [NE,L]
It authenticates me through ssl, but then it cames back to http. I saw that the problem is that the came_from variable refers to the original http request; something like this:
https://server/login/login_form?came_from=http%3A//server/page&retry=&disabl e_cookie_login__=1
Ok, finally I found a way of correcting this behavior without modifying my original RewriteRule. I added a new boolean attribute to the CookieCrumbler class: "ssl_redirect". If it is set, then the http Part in the came_from variable will be replaced by https. All this would be done inside the getUnauthorizedURL method of the CookieCrumbler class (See the attachment). If you think there is a better way of doing this, please let me know. Regards Josef Note: The patch was done for the CookieCrumbler v1.2 diff -Naur CookieCrumbler_old/CookieCrumbler.py CookieCrumbler_new/CookieCrumbler.py --- CookieCrumbler_old/CookieCrumbler.py 2004-06-14 18:34:36.000000000 +0200 +++ CookieCrumbler_new/CookieCrumbler.py 2006-06-16 17:34:04.000000000 +0200 @@ -83,6 +83,9 @@ 'label':'Use cookie paths to limit scope'}, {'id':'cache_header_value', 'type': 'string', 'mode':'w', 'label':'Cache-Control header value'}, + #SSL Redirection from Josef Meile + {'id':'ssl_redirect', 'type': 'boolean', 'mode':'w', + 'label':'Use ssl after login'}, ) auth_cookie = '__ac' @@ -95,6 +98,9 @@ local_cookie_path = 0 cache_header_value = 'no-cache' + #Patch from Josef Meile + ssl_redirect = 0 + security.declarePrivate('delRequestVar') def delRequestVar(self, req, name): # No errors of any sort may propagate, and we don't care *what* @@ -315,6 +321,11 @@ came_from = req.get('came_from', None) if came_from is None: came_from = req.get('URL', '') + + #Patch from Josef Meile in order to redirect to ssl if using http + if self.ssl_redirect and came_from.startswith('http:'): + came_from = 'https' + came_from[4:] + query = req.get('QUERY_STRING') if query: # Include the query string in came_from @@ -371,6 +382,14 @@ return p.get('label', id) return id + #Patch from Josef Meile + def __setstate__(self,state): + #This method adds new attributes and deletes old ones each time + #that you view old instances of the class + Folder.__setstate__(self,state) + if not hasattr(self,'ssl_redirect'): + self.ssl_redirect = 0 + Globals.InitializeClass(CookieCrumbler)
Josef Meile wrote at 2006-6-16 12:54 +0200:
I need to redirect all my http requests to the login_form of the CookieCrumble to https, so, I wrote this rule in apache:
RewriteRule ^/login/login_form(.*) https://server/login/login_form$1 [NE,L]
It authenticates me through ssl, but then it cames back to http. I saw that the problem is that the came_from variable refers to the original http request; something like this:
https://server/login/login_form?came_from=http%3A//server/page&retry=&disabl e_cookie_login__=1
Is there any way of writing something like this in apache?
You rewrite "came_from" in your login form to use "https"... -- Dieter
Josef Meile wrote:
I need to redirect all my http requests to the login_form of the CookieCrumble to https, so, I wrote this rule in apache:
Why bother? Just because the form is secure doesn't make cookie authentication any more secure. Do you say in https once authenticated? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Hi Chris,
I need to redirect all my http requests to the login_form of the CookieCrumble to https, so, I wrote this rule in apache:
Why bother? Just because the form is secure doesn't make cookie authentication any more secure. Yes, you're right. That is exactly the conclusion I also figured out after finding an interesting article in plone.org, which talks about this:
* Secure login without plain text passwords http://plone.org/documentation/how-to/secure-login-without-plain-text-passwo... The only Problem is that the product mentioned there, SessionCrumbler, is based on the CMF CookieCrumbler and not the Standalone version. I guess it wouldn't be difficult to port; I even tried it by replacing the CMF imports by the Standalone version, but it didn't work. Zope hangt and I even didn't get a TraceBack. Anyway, I'm not going to spend more time trying to get this working. I will perhaps try to do some patch to the basic http authentication like CookieCrumbler does, but instead of showing the login forms, I want to do a redirect if the request is insecure, so, you will still get the popup window, but in https.
Do you say in https once authenticated?
Yes, the problem, if you read my post was that with the apache RewriteRule, I could authenticated myself in ssl, but after that the browser took me back again to http -> See the article; it exposes clearly the problem. Regards Josef
participants (3)
-
Chris Withers -
Dieter Maurer -
Josef Meile