Allowing https only for .htaccess password protection?
Moderator: General Moderators
Allowing https only for .htaccess password protection?
When using .htaccess password protection, is there a way I can distinguish between http and https access?
More specifically, can I make sure that only https access is allowed, and when someone visits the particular page or subdir with http, the password is simply always refused? Or give the visitor a different AuthName description (like "use https dude!") or something?
I can of course enforce https in the page/site itself (by checking if $_SERVER['HTTPS'] is set (and !='off' on IIS)) but then a working login & password have already been transmitted unencrypted.
More specifically, can I make sure that only https access is allowed, and when someone visits the particular page or subdir with http, the password is simply always refused? Or give the visitor a different AuthName description (like "use https dude!") or something?
I can of course enforce https in the page/site itself (by checking if $_SERVER['HTTPS'] is set (and !='off' on IIS)) but then a working login & password have already been transmitted unencrypted.
Re: Allowing https only for .htaccess password protection?
G-Mail automatically redirects you to the HTTPS page when you go to the login screen, so it occurs before the data is transmitted. Perhaps you could take a look into that.
Although, I haven't tried it in any other browser than Chrome.
Although, I haven't tried it in any other browser than Chrome.
Re: Allowing https only for .htaccess password protection?
Yes, but there's no htaccess password involved there. They use a regular login form.
I mean a situation where the .htaccess file contains
So you get a password prompt before even it loads any page or content whatsoever.
I mean a situation where the .htaccess file contains
Code: Select all
AuthUserFile "ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-userRe: Allowing https only for .htaccess password protection?
Just put the https redirection higher up in your .htaccess file. Create a "login" directory & put this .htaccess in it. At the top of the .htaccess file, require an https connection.
The reason I suggest making a new directory is so that you don't require https on your entire site.
The reason I suggest making a new directory is so that you don't require https on your entire site.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: Allowing https only for .htaccess password protection?
Thanks, I tried that actually, but I'm still getting the name/password prompt first, i.e. before it redirects to https (and then, in https, it asks for the name & password again, but that makes sense).
This is what my .htaccess file looks like:
The password authorization itself works OK, as does the https redirection. But when combined, it still seems to apply the authorization first 
This is what my .htaccess file looks like:
Code: Select all
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthUserFile "/somewhere/ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-userRe: Allowing https only for .htaccess password protection?
Hmm, I'm not sure then. You could try putting [L] after your rule, which signifies it's the last rule to process. I doubt that'll stop the rest of the file from being processed though.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: Allowing https only for .htaccess password protection?
No, [L] doesn't make any difference unfortunately.
But I managed to find a different approach, here's my new .htaccess:
SSLRequireSSL tells Apache that https is required, and this has higher priority than the password prompt, so that doesn't show up anymore (not in unencrypted http I mean). Instead, if someone visits my site with http instead of https, this causes a 403 error.
Then the ErrorDocument 403 kicks in, and redirects the user to the desired location with https.
The only flaw here is that this doesn't redirect a non-https URL to the same link with https, but just to a general subdir or file (whatever I specify at the 403).
Well this is somewhat of an improvement, at least people won't be entering passwords in plain http anymore. If someone knows a better solution (especially regarding the redirection to the original URL with https), please let me know.
But I managed to find a different approach, here's my new .htaccess:
Code: Select all
SSLRequireSSL
ErrorDocument 403 https://www.mywebsite.com/subdir/
AuthUserFile "/somewhere/ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-userThen the ErrorDocument 403 kicks in, and redirects the user to the desired location with https.
The only flaw here is that this doesn't redirect a non-https URL to the same link with https, but just to a general subdir or file (whatever I specify at the 403).
Well this is somewhat of an improvement, at least people won't be entering passwords in plain http anymore. If someone knows a better solution (especially regarding the redirection to the original URL with https), please let me know.
Re: Allowing https only for .htaccess password protection?
Is there a way with mod_rewrite to rewrite urls for error conditions?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Allowing https only for .htaccess password protection?
That's a nice hack Apollo. May I ask why can't you make the login outside .htaccess? Why does it have to be .htaccess Auth?
Remember guys that HTTP to HTTPS redirection does not completely solve the issue with MITM attacks.
I hope you all have turned on "Secure Cookies" on HTTPS websites.
Remember guys that HTTP to HTTPS redirection does not completely solve the issue with MITM attacks.
The HTTP request will be sent unencrypted to http:// mail.google.com, and just after that, it will be re-sent as encrypted to https://mail.google.com. Therefore, a MITM can occur in between these two points. If not, then an eavesdropper could potentially look for cookie data or other HTTP activity.timWebUK wrote:G-Mail automatically redirects you to the HTTPS page when you go to the login screen, so it occurs before the data is transmitted.
I hope you all have turned on "Secure Cookies" on HTTPS websites.
Re: Allowing https only for .htaccess password protection?
In this particular case I had to do with a lot of admin/config scripts that were formerly used only on an internal (locally hosted) server, but now need to run online.kaisellgren wrote:May I ask why can't you make the login outside .htaccess? Why does it have to be .htaccess Auth?
And they didn't do any user authentication themselves. Instead of adding login requirements to all of them, I thought using .htaccess would be easier
Not sure if I understand this - how exactly?The HTTP request will be sent unencrypted to http:// mail.google.com, and just after that, it will be re-sent as encrypted to https://mail.google.com. Therefore, a MITM can occur in between these two points.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Allowing https only for .htaccess password protection?
Before the .htaccess (or any other server side thing) kicks in, the web browser has already started shooting its HTTP request.Apollo wrote:Not sure if I understand this - how exactly?
Re: Allowing https only for .htaccess password protection?
Yes, but.. as long as it redirects the visitor to https://the.same.url, nothing can go wrong right?
Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?
Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?
Re: Allowing https only for .htaccess password protection?
That's what I was thinking, because surely it wouldn't matter if the browser sent HTTP requests before the user had actually entered any sensitive data?Apollo wrote:Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Allowing https only for .htaccess password protection?
Phishing: the client sends a request to http://mail.google.com, the man in the middle sends back a Google mail -like login form where the client then enters her login credentials and everything goes to the attacker straight away.
Session hijacking: the client sends a request along with the current active session identifier to http://mail.google.com, and the man in the middle (or just an eavesdropper) uses it to hijack into the session. If the attacker is in the middle, he would use the same IP, see the client's user agent (and all other information) and he will be able to hijack into the account.
Session fixation is also possible, but useless due to session hijacking.
XSS can happen when not all parts of the page are loaded in HTTPS.
Session hijacking: the client sends a request along with the current active session identifier to http://mail.google.com, and the man in the middle (or just an eavesdropper) uses it to hijack into the session. If the attacker is in the middle, he would use the same IP, see the client's user agent (and all other information) and he will be able to hijack into the account.
Session fixation is also possible, but useless due to session hijacking.
XSS can happen when not all parts of the page are loaded in HTTPS.