Page 1 of 1

Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 2:30 am
by Apollo
When using .htaccess password protection, is there a way I can distinguish between http and https access?

More specifically, can I make sure that only https access is allowed, and when someone visits the particular page or subdir with http, the password is simply always refused? Or give the visitor a different AuthName description (like "use https dude!") or something?

I can of course enforce https in the page/site itself (by checking if $_SERVER['HTTPS'] is set (and !='off' on IIS)) but then a working login & password have already been transmitted unencrypted.

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 3:59 am
by timWebUK
G-Mail automatically redirects you to the HTTPS page when you go to the login screen, so it occurs before the data is transmitted. Perhaps you could take a look into that.

Although, I haven't tried it in any other browser than Chrome.

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 4:20 am
by Apollo
Yes, but there's no htaccess password involved there. They use a regular login form.

I mean a situation where the .htaccess file contains

Code: Select all

AuthUserFile "ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-user
So you get a password prompt before even it loads any page or content whatsoever.

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 9:49 am
by pickle
Just put the https redirection higher up in your .htaccess file. Create a "login" directory & put this .htaccess in it. At the top of the .htaccess file, require an https connection.

The reason I suggest making a new directory is so that you don't require https on your entire site.

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 11:02 am
by Apollo
Thanks, I tried that actually, but I'm still getting the name/password prompt first, i.e. before it redirects to https (and then, in https, it asks for the name & password again, but that makes sense).

This is what my .htaccess file looks like:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
AuthUserFile "/somewhere/ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-user
The password authorization itself works OK, as does the https redirection. But when combined, it still seems to apply the authorization first :(

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 11:09 am
by pickle
Hmm, I'm not sure then. You could try putting [L] after your rule, which signifies it's the last rule to process. I doubt that'll stop the rest of the file from being processed though.

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 5:14 pm
by Apollo
No, [L] doesn't make any difference unfortunately.

But I managed to find a different approach, here's my new .htaccess:

Code: Select all

SSLRequireSSL
ErrorDocument 403 https://www.mywebsite.com/subdir/
 
AuthUserFile "/somewhere/ultra-secret.htpasswd"
AuthName "Admin Only!"
AuthType Basic
Require valid-user
SSLRequireSSL tells Apache that https is required, and this has higher priority than the password prompt, so that doesn't show up anymore (not in unencrypted http I mean). Instead, if someone visits my site with http instead of https, this causes a 403 error.
Then the ErrorDocument 403 kicks in, and redirects the user to the desired location with https.

The only flaw here is that this doesn't redirect a non-https URL to the same link with https, but just to a general subdir or file (whatever I specify at the 403).

Well this is somewhat of an improvement, at least people won't be entering passwords in plain http anymore. If someone knows a better solution (especially regarding the redirection to the original URL with https), please let me know.

Re: Allowing https only for .htaccess password protection?

Posted: Wed Nov 04, 2009 5:41 pm
by pickle
Is there a way with mod_rewrite to rewrite urls for error conditions?

Re: Allowing https only for .htaccess password protection?

Posted: Sat Nov 07, 2009 5:14 am
by kaisellgren
That's a nice hack Apollo. May I ask why can't you make the login outside .htaccess? Why does it have to be .htaccess Auth?

Remember guys that HTTP to HTTPS redirection does not completely solve the issue with MITM attacks.
timWebUK wrote:G-Mail automatically redirects you to the HTTPS page when you go to the login screen, so it occurs before the data is transmitted.
The HTTP request will be sent unencrypted to http:// mail.google.com, and just after that, it will be re-sent as encrypted to https://mail.google.com. Therefore, a MITM can occur in between these two points. If not, then an eavesdropper could potentially look for cookie data or other HTTP activity.

I hope you all have turned on "Secure Cookies" on HTTPS websites.

Re: Allowing https only for .htaccess password protection?

Posted: Sat Nov 07, 2009 9:38 am
by Apollo
kaisellgren wrote:May I ask why can't you make the login outside .htaccess? Why does it have to be .htaccess Auth?
In this particular case I had to do with a lot of admin/config scripts that were formerly used only on an internal (locally hosted) server, but now need to run online.

And they didn't do any user authentication themselves. Instead of adding login requirements to all of them, I thought using .htaccess would be easier :)
The HTTP request will be sent unencrypted to http:// mail.google.com, and just after that, it will be re-sent as encrypted to https://mail.google.com. Therefore, a MITM can occur in between these two points.
Not sure if I understand this - how exactly?

Re: Allowing https only for .htaccess password protection?

Posted: Sun Nov 08, 2009 3:34 am
by kaisellgren
Apollo wrote:Not sure if I understand this - how exactly?
Before the .htaccess (or any other server side thing) kicks in, the web browser has already started shooting its HTTP request.

Re: Allowing https only for .htaccess password protection?

Posted: Sun Nov 08, 2009 4:31 pm
by Apollo
Yes, but.. as long as it redirects the visitor to https://the.same.url, nothing can go wrong right?

Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?

Re: Allowing https only for .htaccess password protection?

Posted: Mon Nov 09, 2009 2:44 am
by timWebUK
Apollo wrote:Or do you mean the http connection might be compromised and some MITM actually redirects people to something else?
That's what I was thinking, because surely it wouldn't matter if the browser sent HTTP requests before the user had actually entered any sensitive data?

Re: Allowing https only for .htaccess password protection?

Posted: Mon Nov 09, 2009 6:55 am
by kaisellgren
Phishing: the client sends a request to http://mail.google.com, the man in the middle sends back a Google mail -like login form where the client then enters her login credentials and everything goes to the attacker straight away.

Session hijacking: the client sends a request along with the current active session identifier to http://mail.google.com, and the man in the middle (or just an eavesdropper) uses it to hijack into the session. If the attacker is in the middle, he would use the same IP, see the client's user agent (and all other information) and he will be able to hijack into the account.

Session fixation is also possible, but useless due to session hijacking.

XSS can happen when not all parts of the page are loaded in HTTPS.