[Zope-dev] question: forcing https for authentication
Dieter Maurer
dieter@handshake.de
Thu, 16 Jan 2003 22:13:00 +0100
Oliver Bleutgen wrote at 2003-1-16 15:42 +0100:
> One thing that bothers me is that I cannot reliably (as in "in a generic
> way which always works") prevent users from sending their authentication
> unencrypted.
> The only ideas I have to tackle this without modifying zope itself are
>
> - customize all pages which need authentication to check for "https://"
> in one of the relevant REQUEST attributes and do a redirect if not.
> - use apache with some magic to trigger redirection if it encounters
> authentication headers in the request.
> - use apache with some rewrite magic trigger redirection when a
> substring like "manage" is found in the request.
You might use a "SiteAccess" access rule.
Dieter