Allowing https only for .htaccess password protection?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Allowing https only for .htaccess password protection?

Post by Apollo »

When using .htaccess password protection, is there a way I can distinguish between http and https access?

More specifically, can I make sure that only https access is allowed, and when someone visits the particular page or subdir with http, the password is simply always refused? Or give the visitor a different AuthName description (like "use https dude!") or something?

I can of course enforce https in the page/site itself (by checking if $_SERVER['HTTPS'] is set (and !='off' on IIS)) but then a working login & password have already been transmitted unencrypted.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Allowing https only for .htaccess password protection?

Post by timWebUK »

G-Mail automatically redirects you to the HTTPS page when you go to the login screen, so it occurs before the data is transmitted. Perhaps you could take a look into that.

Although, I haven't tried it in any other browser than Chrome.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Allowing https only for .htaccess password protection?

Post by Apollo »

Yes, but there's no htaccess password involved there. They use a regular login form.

I mean a situation where the .htaccess file contains

Code: Select all

AuthUserFile "ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-user
So you get a password prompt before even it loads any page or content whatsoever.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Allowing https only for .htaccess password protection?

Post by pickle »

Just put the https redirection higher up in your .htaccess file. Create a "login" directory & put this .htaccess in it. At the top of the .htaccess file, require an https connection.

The reason I suggest making a new directory is so that you don't require https on your entire site.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Allowing https only for .htaccess password protection?

Post by Apollo »

Thanks, I tried that actually, but I'm still getting the name/password prompt first, i.e. before it redirects to https (and then, in https, it asks for the name & password again, but that makes sense).

This is what my .htaccess file looks like:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
AuthUserFile "/somewhere/ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-user
The password authorization itself works OK, as does the https redirection. But when combined, it still seems to apply the authorization first :(
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Allowing https only for .htaccess password protection?

Post by pickle »

Hmm, I'm not sure then. You could try putting [L] after your rule, which signifies it's the last rule to process. I doubt that'll stop the rest of the file from being processed though.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Allowing https only for .htaccess password protection?

Post by Apollo »

No, [L] doesn't make any difference unfortunately.

But I managed to find a different approach, here's my new .htaccess:

Code: Select all

SSLRequireSSL
ErrorDocument 403 https://www.mywebsite.com/subdir/
 
AuthUserFile "/somewhere/ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-user
SSLRequireSSL tells Apache that https is required, and this has higher priority than the password prompt, so that doesn't show up anymore (not in unencrypted http I mean). Instead, if someone visits my site with http instead of https, this causes a 403 error.
Then the ErrorDocument 403 kicks in, and redirects the user to the desired location with https.

The only flaw here is that this doesn't redirect a non-https URL to the same link with https, but just to a general subdir or file (whatever I specify at the 403).

Well this is somewhat of an improvement, at least people won't be entering passwords in plain http anymore. If someone knows a better solution (especially regarding the redirection to the original URL with https), please let me know.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Allowing https only for .htaccess password protection?

Post by pickle »

Is there a way with mod_rewrite to rewrite urls for error conditions?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Allowing https only for .htaccess password protection?

Post by kaisellgren »

That's a nice hack Apollo. May I ask why can't you make the login outside .htaccess? Why does it have to be .htaccess Auth?

Remember guys that HTTP to HTTPS redirection does not completely solve the issue with MITM attacks.
timWebUK wrote:G-Mail automatically redirects you to the HTTPS page when you go to the login screen, so it occurs before the data is transmitted.
The HTTP request will be sent unencrypted to http:// mail.google.com, and just after that, it will be re-sent as encrypted to https://mail.google.com. Therefore, a MITM can occur in between these two points. If not, then an eavesdropper could potentially look for cookie data or other HTTP activity.

I hope you all have turned on "Secure Cookies" on HTTPS websites.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Allowing https only for .htaccess password protection?

Post by Apollo »

kaisellgren wrote:May I ask why can't you make the login outside .htaccess? Why does it have to be .htaccess Auth?
In this particular case I had to do with a lot of admin/config scripts that were formerly used only on an internal (locally hosted) server, but now need to run online.

And they didn't do any user authentication themselves. Instead of adding login requirements to all of them, I thought using .htaccess would be easier :)
The HTTP request will be sent unencrypted to http:// mail.google.com, and just after that, it will be re-sent as encrypted to https://mail.google.com. Therefore, a MITM can occur in between these two points.
Not sure if I understand this - how exactly?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Allowing https only for .htaccess password protection?

Post by kaisellgren »

Apollo wrote:Not sure if I understand this - how exactly?
Before the .htaccess (or any other server side thing) kicks in, the web browser has already started shooting its HTTP request.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Allowing https only for .htaccess password protection?

Post by Apollo »

Yes, but.. as long as it redirects the visitor to https://the.same.url, nothing can go wrong right?

Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Allowing https only for .htaccess password protection?

Post by timWebUK »

Apollo wrote:Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?
That's what I was thinking, because surely it wouldn't matter if the browser sent HTTP requests before the user had actually entered any sensitive data?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Allowing https only for .htaccess password protection?

Post by kaisellgren »

Phishing: the client sends a request to http://mail.google.com, the man in the middle sends back a Google mail -like login form where the client then enters her login credentials and everything goes to the attacker straight away.

Session hijacking: the client sends a request along with the current active session identifier to http://mail.google.com, and the man in the middle (or just an eavesdropper) uses it to hijack into the session. If the attacker is in the middle, he would use the same IP, see the client's user agent (and all other information) and he will be able to hijack into the account.

Session fixation is also possible, but useless due to session hijacking.

XSS can happen when not all parts of the page are loaded in HTTPS.
Post Reply