How to achieve single htpasswd login with Apache when using
both SSL and non-SSL web pages in a site?
Paul Lussier
p.lussier at comcast.net
Wed Jul 12 13:07:00 EDT 2006
"Ben Scott" <dragonhawk at gmail.com> writes:
> On 7/11/06, Dan Coutu <coutu at snowy-owl.com> wrote:
>> Apparently the shift to/from SSL is considered by browsers to be a
>> different realm.
>
> Makes sense from a security perspective. Think about starting with
> SSL and then downgrading to cleartext. Suddenly your HTTP
> authentication credentials aren't secure anymore...
>
>> Guess I'm stuck then. I know of no way to convince a web browser to
>> change this particular behavior.
>
> From what I've seen in use, I think you might be able to work around
> this with HTTP cookies, and/or encoding some kind of session state in
> the URL and/or a form submission. But I've never done it, myself.
Well, another possibility is to separate the directory configuration
from the site configuration. Don't require authentication or SSL for
anything in the root directory, but do for other stuff.
By splitting out your directory configs from the VirtualHost config,
I'd think all this would work fairly as you'd expect it...
--
Seeya,
Paul
More information about the gnhlug-discuss
mailing list