On 4/14/05, nandelbosc@xxxxxxxx <nandelbosc@xxxxxxxx> wrote: > Some pages on this webserver have a .htaccess* file with AuthType Basic... > I need the users of this server login under HTTPS protocol (for encrypt > user/pass information) and then be redirected to another page under HTTP > protocol. > > That redirect works fine, in part, because when the user is redirected to > HTTP, the server request username & login for second time, and obviously > without encryption. > > In summary... I only need ssl encryption for the moment to send/receive > login & pass, and only request login one time. > > How can I solve this problem? You can't.. That isn't how HTTP auth works. The username and password are sent on *every* request. You don't notice this because the browser caches the credentials after the first request. The browser re-prompts for the credentials if you change hostnames or ports (as you do when you switch to SSL) in order to prevent other sites from stealing your password. I'm not an expert, but I suspect that sites that do this (request credentials under SSL and do normal browsing unencrypted) are passing encrypted credentials in the URL when they redirect back to the non-SSL site, and then the non-SSL site is tracking the session with cookies. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|