Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SHTTP redirect and Auth in same .htaccess executing in wrong order

Status
Not open for further replies.
richcon

richcon

Programmer
Jan 25, 2007
5
US
I'm working on a web site on a shared hosting server (Apache 1.3.37), so I don't have direct control over Apache and can only use .htaccess files to get the job done.

For a folder containing sensitive info, I want it to first redirect to SHTTP (if connecting by regular http), THEN require a password, in that order.

Instead, it's first sending out the auth request over the unencrypted plain, receiving the password over the plain, THEN switching to https after authorizing the user. (Then, it starts the auth process over again for the HTTPS connection.) Clearly, this isn't good!

(This behavior was verified with a TCP packet sniffer.)

Following is from the .htaccess file I made:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*)
AuthUserFile <path>
AuthName "Protected"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>

Both individual blocks work. I just need them to work in the correct order.

Anyone have any ideas how I can accomplish this?

Thanks!
 
Sort by date Sort by votes
Do you have to use the rewrite at all? Could you use a link on your page that uses an https url then put a .htaccess file in that directory?
 
Upvote 0 Downvote
I can work around it with multiple folders, but getting this to work would be the most elegant solution. So, if anyone has any ideas what's going on, great; if not, I'll have to try something else.

Thanks!
Rich
 
Upvote 0 Downvote
It's doing exactly what it thinks it's supposed to do. When someone comes to that url under http the rewrite stuff gets read but so does the auth stuff. Then when it switches to https, it's kind of like going out and coming back in. So everything gets read again. This time it has already switched to https so in moves on the the auth thing again.
 
Upvote 0 Downvote
Thanks for the explanation, that rings with what I was thinking too. So, if nobody knows how to get it to do it in the order I want it to work in (redirect first, then auth), I'm stuck with a multiple-folder workaround.

Thanks,
Rich
 
Upvote 0 Downvote
That is generally how it's done. Foe example, I can go to my bank online. The home page is unsecure but when I click on a link to my account it goes to https then I'm prompted for my name and password. Even though you are on the same page and directory, when you switch to ssl mode, it is a new session and .htaccess get read again. This is why you are getting this result. To do what you want would require a script that retains the user's credentials from one session to the next I don't think it can be done with just .htaccess but I learn new tricks all the time so you are correct to keep asking.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
237
Krus1972
Krus1972
KannaChan
  • Locked
  • Question
TLS1.2 and TLS1.0 proxy in same Virtualhost
Replies
1
Views
180
ChrisHirst
ChrisHirst
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
299
Stephen_Hawk
Stephen_Hawk
SamBones
  • Locked
  • Question
CentOS 7 and Putty
Replies
2
Views
202
SamBones
SamBones
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
135
bhuv560
bhuv560

Part and Inventory Search

Sponsor

Back
Top