Modify

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#2099 closed defect (fixed)

trac-hacks.org authentication fails when using https

Reported by: anonymous Owned by: Alec Thomas
Priority: normal Component: TracHacks
Severity: normal Keywords: authentication
Cc: Trac Release: 0.10

Description

I can log in successfully to http://trac-hacks.org/, but when i try to use the site over HTTPS, the login attempt appears to succeed, but i get bounced back to plain HTTP, i'm no longer at the page i started from (i'm back at the home page), and i'm not authenticated. Not sure why that's happening.

Attachments (0)

Change History (5)

comment:1 Changed 9 years ago by Daniel Kahn Gillmor

oops. this ticket was filed by me -- i must have de-authenticated in another tab while trying to debug this.

the problem is pretty clearly that the login page wants to redirect the user to an http://trac-hacks.org/ URL, and isn't willing to entertain a REFERER set to https://trac-hacks.org/

Maybe that's a problem with the authentication module you're using?

fwiw, here's a wget display of the headers involved (unique tokens have been scrambled):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=https://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:06:16--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=fb97eXXXXXXXXXXXXXXXXXXX3f75f;
  Set-Cookie: trac_form_token=23XXXXXXXXXXXXXXXXXXX3ae;
  Location: http://trac-hacks.org
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: http://trac-hacks.org [following]
--14:06:16--  http://trac-hacks.org/
           => `index.html'
Connecting to trac-hacks.org|72.36.197.172|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=; expires=Mon, 22-Oct-2007 15:20:04 GMT;
  Set-Cookie: trac_session=b1e6XXXXXXXXXXXXXX3ea7; expires=Sun, 20-Jan-2008 18:06:44 GMT;
  Content-Length: 109671
  Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Content-Type: text/html;charset=utf-8
Length: 109,671 (107K) [text/html]

100%[====================================>] 109,671      368.41K/s             

14:06:18 (368.25 KB/s) - `index.html' saved [109671/109671]

[0 dkg@squeak ~]$

As you can see, the authentication succeeds, but i'm redirected back to http://trac-hacks.org/, despite the REFERER being this ticket.

If i do the same wget, but with an http referer instead of https:, i get a valid login, and i'm redirected to the correct page (though of course my session tokens are transmitted back in the clear to the server, allowing a session hijack for anyone in the network chain):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=http://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:19:30--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:19:56 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=788dXXXXXXXXXXXXXXXXXXXXXXXx61122;
  Set-Cookie: trac_form_token=bb49XXXXXXXXXXXXXXXXXXX87df;
  Location: https://trac-hacks.org/ticket/2099
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: https://trac-hacks.org/ticket/2099 [following]
--14:19:30--  https://trac-hacks.org/ticket/2099
           => `2099'
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:19:57 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Content-Length: 21367
  Content-Type: text/html;charset=utf-8
  Via: 1.0 trac-hacks.org
  Connection: close
Length: 21,367 (21K) [text/html]

100%[====================================>] 21,367       136.38K/s             

14:19:31 (135.66 KB/s) - `2099' saved [21367/21367]

[0 dkg@squeak ~]$ 

btw, sorry about the --no-check-certificate -- i couldn't find a path to your issuing authority in my CA list (i'm running debian lenny). don't think that's relevant to this ticket, though.

comment:2 Changed 9 years ago by Alec Thomas

Yeah, I'm aware of this, and it appears to be related to using mod_proxy. Not sure what the fix is TBH.

comment:3 Changed 9 years ago by Alec Thomas

Resolution: fixed
Status: newclosed

This should be working now.

comment:4 Changed 9 years ago by Daniel Kahn Gillmor

Yup. Works for me. Thanks for the fix! What did you do to fix it?

comment:5 Changed 9 years ago by Alec Thomas

Got rid of mod_proxy and explicitly define the SSL virtual server.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.