Mailing List Archive: Apache: Users

How to Redirect to https after login?

Index | Next | Previous | View Threaded

erik at schwagerus

Oct 29, 2009, 3:46 AM

Post #1 of 8 (644 views)
Permalink

How to Redirect to https after login?

Hello,

I need some expert help on the following configuration task:

I have a startpage with a standard login form. After a user logs in, he
should be
redirected to use https for the rest of the session.
When I use a rewrite rule as shown below,
RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
the parameters get lost, because the request is translated to a GET request.
What do I need to do, to fix this problem?
Many thanx in advance
Erik

<VirtualHost *:49080>
ServerName staging.xxx.com
ServerAlias xxx.com xxx.de
DocumentRoot "/xxx/htdocs/"
DirectoryIndex index.gsp index.html
CustomLog /weblog/httpd/access.log combined

# Define error doc when tomcat is down
ErrorDocument 503 /error/503.html

# Define the proxy connection to tomcat listening on port 49888
ProxyRequests Off
# Define an exception for the path to apache error pages
ProxyPass /error !
# Route all requests to tomcat
ProxyPass / ajp://127.0.0.1:49888/

# Collection of rewrite rules
RewriteEngine On

RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
</VirtualHost>

--
View this message in context: http://www.nabble.com/How-to-Redirect-to-https-after-login--tp26110773p26110773.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

krist.vanbesien at gmail

Oct 29, 2009, 4:47 AM

Post #2 of 8 (601 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

On Thu, Oct 29, 2009 at 11:46 AM, ericdraven <erik [at] schwagerus> wrote:
>
> Hello,
>
> I need some expert help on the following configuration task:
>
> I have a startpage with a standard login form. After a user logs in, he
> should be
> redirected to use https for the rest of the session.

That's a rather odd requirement. Normally the requirement is to be
redirected to https _before_ logging in. It is, after all, the login
data, that you need to protect.

> When I use a rewrite rule as shown below,
> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
> the parameters get lost, because the request is translated to a GET request.
> What do I need to do, to fix this problem?

Use the QSA flag, so the query string doesn't get lost.

Krist

--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

erik at schwagerus

Oct 29, 2009, 5:42 AM

Post #3 of 8 (603 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

I already tried this but it doesn't help, because the login- form uses the
POST method to transfer the data and there is no query string.

Krist van Besien wrote:
>
> On Thu, Oct 29, 2009 at 11:46 AM, ericdraven <erik [at] schwagerus> wrote:
>>
>> Hello,
>>
>> I need some expert help on the following configuration task:
>>
>> I have a startpage with a standard login form. After a user logs in, he
>> should be
>> redirected to use https for the rest of the session.
>
> That's a rather odd requirement. Normally the requirement is to be
> redirected to https _before_ logging in. It is, after all, the login
> data, that you need to protect.
>
>
>> When I use a rewrite rule as shown below,
>> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
>> the parameters get lost, because the request is translated to a GET
>> request.
>> What do I need to do, to fix this problem?
>
> Use the QSA flag, so the query string doesn't get lost.
>
> Krist
>
>
>
> --
> krist.vanbesien [at] gmail
> krist [at] vanbesien
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>
>
>

--
View this message in context: http://www.nabble.com/How-to-Redirect-to-https-after-login--tp26110773p26112248.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

covener at gmail

Oct 29, 2009, 5:43 AM

Post #4 of 8 (606 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

>> When I use a rewrite rule as shown below,
>> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
>> the parameters get lost, because the request is translated to a GET request.
>> What do I need to do, to fix this problem?
>
> Use the QSA flag, so the query string doesn't get lost.

QSA only does anything when you're explicitly adding a query string in
your substitution.

OP is redirecting a POST, which is something to be avoided. A simple
HTML redirect in the output of the form-based login makes a lot of
sense.

--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

orasnita at gmail

Oct 29, 2009, 6:19 AM

Post #5 of 8 (605 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

From: "Krist van Besien" <krist.vanbesien [at] gmail>
> On Thu, Oct 29, 2009 at 11:46 AM, ericdraven <erik [at] schwagerus> wrote:
>>
>> Hello,
>>
>> I need some expert help on the following configuration task:
>>
>> I have a startpage with a standard login form. After a user logs in, he
>> should be
>> redirected to use https for the rest of the session.
>
> That's a rather odd requirement. Normally the requirement is to be
> redirected to https _before_ logging in. It is, after all, the login
> data, that you need to protect.
>

Isn't OK if the login form uses an action="https://..." attribute?

The request would be made using HTTPS, not HTTP, so it should be protected,
no matter that the original page was using HTTP.

Thanks.

Octavian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

orasnita at gmail

Oct 29, 2009, 6:21 AM

Post #6 of 8 (607 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

From: "Eric Covener" <covener [at] gmail>
>>> When I use a rewrite rule as shown below,
>>> RewriteRule ^/login(.*) https://%{SERVER_NAME}/login$1 [R,L]
>>> the parameters get lost, because the request is translated to a GET
>>> request.
>>> What do I need to do, to fix this problem?
>>
>> Use the QSA flag, so the query string doesn't get lost.
>
> QSA only does anything when you're explicitly adding a query string in
> your substitution.
>
> OP is redirecting a POST, which is something to be avoided.

Why should a redirect after POST be avoided?

> A simple
> HTML redirect in the output of the form-based login makes a lot of
> sense.

Why? It makes the process dependent on the browser, which should be avoided.

Thanks.

Octavian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

covener at gmail

Oct 29, 2009, 7:21 AM

Post #7 of 8 (606 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

>>
>> OP is redirecting a POST, which is something to be avoided.
>
> Why should a redirect after POST be avoided?

It's hairy, and the HTTP/1.1 RFC talks about potential confusion about
whether the client will re-submit the POST to the new URL [after
prompting the user] or send a GET to the new URL.

I also believe there are IE bugs in this area where it drops the body
but retains the Content-Length on the redirect.

>
>> A simple
>> HTML redirect in the output of the form-based login makes a lot of
>> sense.
>
> Why? It makes the process dependent on the browser, which should be avoided.

A redirect is just as dependent. This allows the request to run to
completion, processing the post body, before doing any kind of
redirect. You could also modify whatever processes the form-based
login, but that's more complicated.

You shouldn't depend on either mechanism to enforce that the requests
on the other side of the URL are protected by SSL, so IMO there's no
exposure to using the HTML.

--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

krist.vanbesien at gmail

Oct 30, 2009, 3:58 AM

Post #8 of 8 (583 views)
Permalink

Re: How to Redirect to https after login? [In reply to]

On Thu, Oct 29, 2009 at 2:19 PM, Octavian R�snita <orasnita [at] gmail> wrote:

>> That's a rather odd requirement. Normally the requirement is to be
>> redirected to https _before_ logging in. It is, after all, the login
>> data, that you need to protect.
>>
>
> Isn't OK if the login form uses an action="https://..." attribute?

In that case you don't need the redirect the OP asked for.

Krist

--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads