From: Phil F. <pc...@wm...> - 2011-06-15 20:39:51
|
We use mod_rewrite to force everyone to use SSL all the time in order to prevent session hijacking. I doubt that using mod_rewrite would work as quick sniff using Wireshark shows that mod_rewrite sends a 302 Found to redirect the user to the page with SSL. I think that would also lose data that you are POSTing as part of your request. If I had to only login using SSL, I would likely hardcode the action in web/interface/themes/<your theme>/MyResearch/login.tpl to use SSL. Hope that helps, Phil Fenstermacher On 06/15/2011 03:16 PM, vuf...@li... wrote: I've been trying to secure our logins by using https. I don't want to run vufind as a whole under https, just the login page. There are three login situations I know of: 1. Login from the 'Login' link leading to the default MyResearch page 2. Login using the lightbox and JSON 3. Login triggered by an action which sets a 'followupAction'. I'm ignoring case 2 as it encrypts the password itself, even without https. My first attempt at this was making the login form submit to https instead of http, then in MyResearch.php checking whether we are on port 443, and if so using header() to redirect back to port 80. This works fine for 1. but not for 3 - the followupAction etc are POST variables which get lost on the redirect. I haven't managed to come up with a method that avoids this. One alternative might be to use apache rewrite rules, but short of listing all the pages which might include a login as exceptions (and then having to change the rules whenever a new feature is added) I can't see how to do that. Does anyone have a straightforward method that works? Graham -- Phil Fenstermacher Systems Engineer Swem Library - College of William & Mary 757.221.3112 |