Opened 9 years ago

Closed 9 years ago

trac-hacks.org authentication fails when using https

Reported by: Owned by: anonymous athomas normal TracHacks normal authentication 0.10

Description

I can log in successfully to http://trac-hacks.org/, but when i try to use the site over HTTPS, the login attempt appears to succeed, but i get bounced back to plain HTTP, i'm no longer at the page i started from (i'm back at the home page), and i'm not authenticated. Not sure why that's happening.

comment:1 Changed 9 years ago by dkg

oops. this ticket was filed by me -- i must have de-authenticated in another tab while trying to debug this.

the problem is pretty clearly that the login page wants to redirect the user to an http://trac-hacks.org/ URL, and isn't willing to entertain a REFERER set to https://trac-hacks.org/

Maybe that's a problem with the authentication module you're using?

fwiw, here's a wget display of the headers involved (unique tokens have been scrambled):

[0 dkg@squeak ~]$wget --no-check-certificate -S --referer=https://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login --14:06:16-- https://dkgdkg:*password*@trac-hacks.org/login => login' Resolving trac-hacks.org... 72.36.197.172 Connecting to trac-hacks.org|72.36.197.172|:443... connected. WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Mon, 22 Oct 2007 18:06:42 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Pragma: no-cache Cache-control: no-cache Expires: Fri, 01 Jan 1999 00:00:00 GMT Set-Cookie: trac_auth=fb97eXXXXXXXXXXXXXXXXXXX3f75f; Set-Cookie: trac_form_token=23XXXXXXXXXXXXXXXXXXX3ae; Location: http://trac-hacks.org Content-Type: text/plain; charset=UTF-8 Via: 1.0 trac-hacks.org Connection: close Location: http://trac-hacks.org [following] --14:06:16-- http://trac-hacks.org/ => index.html' Connecting to trac-hacks.org|72.36.197.172|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 Ok Date: Mon, 22 Oct 2007 18:06:42 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Cache-control: must-revalidate Expires: Fri, 01 Jan 1999 00:00:00 GMT Set-Cookie: trac_auth=; expires=Mon, 22-Oct-2007 15:20:04 GMT; Set-Cookie: trac_session=b1e6XXXXXXXXXXXXXX3ea7; expires=Sun, 20-Jan-2008 18:06:44 GMT; Content-Length: 109671 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 Length: 109,671 (107K) [text/html] 100%[====================================>] 109,671 368.41K/s 14:06:18 (368.25 KB/s) - index.html' saved [109671/109671] [0 dkg@squeak ~]$


As you can see, the authentication succeeds, but i'm redirected back to http://trac-hacks.org/, despite the REFERER being this ticket.

If i do the same wget, but with an http referer instead of https:, i get a valid login, and i'm redirected to the correct page (though of course my session tokens are transmitted back in the clear to the server, allowing a session hijack for anyone in the network chain):

[0 dkg@squeak ~]$wget --no-check-certificate -S --referer=http://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login --14:19:30-- https://dkgdkg:*password*@trac-hacks.org/login => login' Resolving trac-hacks.org... 72.36.197.172 Connecting to trac-hacks.org|72.36.197.172|:443... connected. WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Mon, 22 Oct 2007 18:19:56 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Pragma: no-cache Cache-control: no-cache Expires: Fri, 01 Jan 1999 00:00:00 GMT Set-Cookie: trac_auth=788dXXXXXXXXXXXXXXXXXXXXXXXx61122; Set-Cookie: trac_form_token=bb49XXXXXXXXXXXXXXXXXXX87df; Location: https://trac-hacks.org/ticket/2099 Content-Type: text/plain; charset=UTF-8 Via: 1.0 trac-hacks.org Connection: close Location: https://trac-hacks.org/ticket/2099 [following] --14:19:30-- https://trac-hacks.org/ticket/2099 => 2099' Connecting to trac-hacks.org|72.36.197.172|:443... connected. WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain HTTP request sent, awaiting response... HTTP/1.1 200 Ok Date: Mon, 22 Oct 2007 18:19:57 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Cache-control: must-revalidate Expires: Fri, 01 Jan 1999 00:00:00 GMT Content-Length: 21367 Content-Type: text/html;charset=utf-8 Via: 1.0 trac-hacks.org Connection: close Length: 21,367 (21K) [text/html] 100%[====================================>] 21,367 136.38K/s 14:19:31 (135.66 KB/s) - 2099' saved [21367/21367] [0 dkg@squeak ~]$


btw, sorry about the --no-check-certificate -- i couldn't find a path to your issuing authority in my CA list (i'm running debian lenny). don't think that's relevant to this ticket, though.

comment:2 Changed 9 years ago by athomas

Yeah, I'm aware of this, and it appears to be related to using mod_proxy. Not sure what the fix is TBH.

comment:3 Changed 9 years ago by athomas

• Resolution set to fixed
• Status changed from new to closed

This should be working now.

comment:4 Changed 9 years ago by dkg

Yup. Works for me. Thanks for the fix! What did you do to fix it?

comment:5 Changed 9 years ago by athomas

Got rid of mod_proxy and explicitly define the SSL virtual server.