Modify

Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#2099 closed defect (fixed)

trac-hacks.org authentication fails when using https

Reported by: anonymous Owned by: athomas
Priority: normal Component: TracHacks
Severity: normal Keywords: authentication
Cc: Trac Release: 0.10

Description

I can log in successfully to http://trac-hacks.org/, but when i try to use the site over HTTPS, the login attempt appears to succeed, but i get bounced back to plain HTTP, i'm no longer at the page i started from (i'm back at the home page), and i'm not authenticated. Not sure why that's happening.

Attachments (0)

Change History (5)

comment:1 Changed 7 years ago by dkg

oops. this ticket was filed by me -- i must have de-authenticated in another tab while trying to debug this.

the problem is pretty clearly that the login page wants to redirect the user to an http://trac-hacks.org/ URL, and isn't willing to entertain a REFERER set to https://trac-hacks.org/

Maybe that's a problem with the authentication module you're using?

fwiw, here's a wget display of the headers involved (unique tokens have been scrambled):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=https://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:06:16--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=fb97eXXXXXXXXXXXXXXXXXXX3f75f;
  Set-Cookie: trac_form_token=23XXXXXXXXXXXXXXXXXXX3ae;
  Location: http://trac-hacks.org
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: http://trac-hacks.org [following]
--14:06:16--  http://trac-hacks.org/
           => `index.html'
Connecting to trac-hacks.org|72.36.197.172|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=; expires=Mon, 22-Oct-2007 15:20:04 GMT;
  Set-Cookie: trac_session=b1e6XXXXXXXXXXXXXX3ea7; expires=Sun, 20-Jan-2008 18:06:44 GMT;
  Content-Length: 109671
  Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Content-Type: text/html;charset=utf-8
Length: 109,671 (107K) [text/html]

100%[====================================>] 109,671      368.41K/s             

14:06:18 (368.25 KB/s) - `index.html' saved [109671/109671]

[0 dkg@squeak ~]$

As you can see, the authentication succeeds, but i'm redirected back to http://trac-hacks.org/, despite the REFERER being this ticket.

If i do the same wget, but with an http referer instead of https:, i get a valid login, and i'm redirected to the correct page (though of course my session tokens are transmitted back in the clear to the server, allowing a session hijack for anyone in the network chain):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=http://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:19:30--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:19:56 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=788dXXXXXXXXXXXXXXXXXXXXXXXx61122;
  Set-Cookie: trac_form_token=bb49XXXXXXXXXXXXXXXXXXX87df;
  Location: https://trac-hacks.org/ticket/2099
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: https://trac-hacks.org/ticket/2099 [following]
--14:19:30--  https://trac-hacks.org/ticket/2099
           => `2099'
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:19:57 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Content-Length: 21367
  Content-Type: text/html;charset=utf-8
  Via: 1.0 trac-hacks.org
  Connection: close
Length: 21,367 (21K) [text/html]

100%[====================================>] 21,367       136.38K/s             

14:19:31 (135.66 KB/s) - `2099' saved [21367/21367]

[0 dkg@squeak ~]$ 

btw, sorry about the --no-check-certificate -- i couldn't find a path to your issuing authority in my CA list (i'm running debian lenny). don't think that's relevant to this ticket, though.

comment:2 Changed 7 years ago by athomas

Yeah, I'm aware of this, and it appears to be related to using mod_proxy. Not sure what the fix is TBH.

comment:3 Changed 6 years ago by athomas

  • Resolution set to fixed
  • Status changed from new to closed

This should be working now.

comment:4 Changed 6 years ago by dkg

Yup. Works for me. Thanks for the fix! What did you do to fix it?

comment:5 Changed 6 years ago by athomas

Got rid of mod_proxy and explicitly define the SSL virtual server.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from athomas. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.