trac-hacks.org authentication fails when using https

[anonymous]

I can log in successfully to ​http://trac-hacks.org/, but when i try to use the site over HTTPS, the login attempt appears to succeed, but i get bounced back to plain HTTP, i'm no longer at the page i started from (i'm back at the home page), and i'm not authenticated. Not sure why that's happening.

[Daniel Kahn Gillmor]

oops. this ticket was filed by me -- i must have de-authenticated in another tab while trying to debug this.

the problem is pretty clearly that the login page wants to redirect the user to an ​http://trac-hacks.org/ URL, and isn't willing to entertain a REFERER set to https://trac-hacks.org/

Maybe that's a problem with the authentication module you're using?

fwiw, here's a wget display of the headers involved (unique tokens have been scrambled):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=https://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:06:16--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=fb97eXXXXXXXXXXXXXXXXXXX3f75f;
  Set-Cookie: trac_form_token=23XXXXXXXXXXXXXXXXXXX3ae;
  Location: http://trac-hacks.org
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: http://trac-hacks.org [following]
--14:06:16--  http://trac-hacks.org/
           => `index.html'
Connecting to trac-hacks.org|72.36.197.172|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=; expires=Mon, 22-Oct-2007 15:20:04 GMT;
  Set-Cookie: trac_session=b1e6XXXXXXXXXXXXXX3ea7; expires=Sun, 20-Jan-2008 18:06:44 GMT;
  Content-Length: 109671
  Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Content-Type: text/html;charset=utf-8
Length: 109,671 (107K) [text/html]

100%[====================================>] 109,671      368.41K/s             

14:06:18 (368.25 KB/s) - `index.html' saved [109671/109671]

[0 dkg@squeak ~]$

As you can see, the authentication succeeds, but i'm redirected back to ​http://trac-hacks.org/, despite the REFERER being this ticket.

If i do the same wget, but with an http referer instead of https:, i get a valid login, and i'm redirected to the correct page (though of course my session tokens are transmitted back in the clear to the server, allowing a session hijack for anyone in the network chain):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=http://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:19:30--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:19:56 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=788dXXXXXXXXXXXXXXXXXXXXXXXx61122;
  Set-Cookie: trac_form_token=bb49XXXXXXXXXXXXXXXXXXX87df;
  Location: https://trac-hacks.org/ticket/2099
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: https://trac-hacks.org/ticket/2099 [following]
--14:19:30--  https://trac-hacks.org/ticket/2099
           => `2099'
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:19:57 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Content-Length: 21367
  Content-Type: text/html;charset=utf-8
  Via: 1.0 trac-hacks.org
  Connection: close
Length: 21,367 (21K) [text/html]

100%[====================================>] 21,367       136.38K/s             

14:19:31 (135.66 KB/s) - `2099' saved [21367/21367]

[0 dkg@squeak ~]$ 

btw, sorry about the --no-check-certificate -- i couldn't find a path to your issuing authority in my CA list (i'm running debian lenny). don't think that's relevant to this ticket, though.

[Alec Thomas]

Yeah, I'm aware of this, and it appears to be related to using mod_proxy. Not sure what the fix is TBH.

[Alec Thomas]

This should be working now.

[Daniel Kahn Gillmor]

Yup. Works for me. Thanks for the fix! What did you do to fix it?

[Alec Thomas]

Got rid of mod_proxy and explicitly define the SSL virtual server.