Modify

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#2099 closed defect (fixed)

trac-hacks.org authentication fails when using https

Reported by: anonymous Owned by: Alec Thomas
Priority: normal Component: TracHacks
Severity: normal Keywords: authentication
Cc: Trac Release: 0.10

Description

I can log in successfully to http://trac-hacks.org/, but when i try to use the site over HTTPS, the login attempt appears to succeed, but i get bounced back to plain HTTP, i'm no longer at the page i started from (i'm back at the home page), and i'm not authenticated. Not sure why that's happening.

Attachments (0)

Change History (5)

comment:1 Changed 10 years ago by Daniel Kahn Gillmor

oops. this ticket was filed by me -- i must have de-authenticated in another tab while trying to debug this.

the problem is pretty clearly that the login page wants to redirect the user to an http://trac-hacks.org/ URL, and isn't willing to entertain a REFERER set to https://trac-hacks.org/

Maybe that's a problem with the authentication module you're using?

fwiw, here's a wget display of the headers involved (unique tokens have been scrambled):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=https://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:06:16--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=fb97eXXXXXXXXXXXXXXXXXXX3f75f;
  Set-Cookie: trac_form_token=23XXXXXXXXXXXXXXXXXXX3ae;
  Location: http://trac-hacks.org
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: http://trac-hacks.org [following]
--14:06:16--  http://trac-hacks.org/
           => `index.html'
Connecting to trac-hacks.org|72.36.197.172|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:06:42 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=; expires=Mon, 22-Oct-2007 15:20:04 GMT;
  Set-Cookie: trac_session=b1e6XXXXXXXXXXXXXX3ea7; expires=Sun, 20-Jan-2008 18:06:44 GMT;
  Content-Length: 109671
  Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Content-Type: text/html;charset=utf-8
Length: 109,671 (107K) [text/html]

100%[====================================>] 109,671      368.41K/s             

14:06:18 (368.25 KB/s) - `index.html' saved [109671/109671]

[0 dkg@squeak ~]$

As you can see, the authentication succeeds, but i'm redirected back to http://trac-hacks.org/, despite the REFERER being this ticket.

If i do the same wget, but with an http referer instead of https:, i get a valid login, and i'm redirected to the correct page (though of course my session tokens are transmitted back in the clear to the server, allowing a session hijack for anyone in the network chain):

[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=http://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login
--14:19:30--  https://dkgdkg:*password*@trac-hacks.org/login
           => `login'
Resolving trac-hacks.org... 72.36.197.172
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Mon, 22 Oct 2007 18:19:56 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Pragma: no-cache
  Cache-control: no-cache
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Set-Cookie: trac_auth=788dXXXXXXXXXXXXXXXXXXXXXXXx61122;
  Set-Cookie: trac_form_token=bb49XXXXXXXXXXXXXXXXXXX87df;
  Location: https://trac-hacks.org/ticket/2099
  Content-Type: text/plain; charset=UTF-8
  Via: 1.0 trac-hacks.org
  Connection: close
Location: https://trac-hacks.org/ticket/2099 [following]
--14:19:30--  https://trac-hacks.org/ticket/2099
           => `2099'
Connecting to trac-hacks.org|72.36.197.172|:443... connected.
WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 200 Ok
  Date: Mon, 22 Oct 2007 18:19:57 GMT
  Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3
  Cache-control: must-revalidate
  Expires: Fri, 01 Jan 1999 00:00:00 GMT
  Content-Length: 21367
  Content-Type: text/html;charset=utf-8
  Via: 1.0 trac-hacks.org
  Connection: close
Length: 21,367 (21K) [text/html]

100%[====================================>] 21,367       136.38K/s             

14:19:31 (135.66 KB/s) - `2099' saved [21367/21367]

[0 dkg@squeak ~]$ 

btw, sorry about the --no-check-certificate -- i couldn't find a path to your issuing authority in my CA list (i'm running debian lenny). don't think that's relevant to this ticket, though.

comment:2 Changed 10 years ago by Alec Thomas

Yeah, I'm aware of this, and it appears to be related to using mod_proxy. Not sure what the fix is TBH.

comment:3 Changed 10 years ago by Alec Thomas

Resolution: fixed
Status: newclosed

This should be working now.

comment:4 Changed 10 years ago by Daniel Kahn Gillmor

Yup. Works for me. Thanks for the fix! What did you do to fix it?

comment:5 Changed 10 years ago by Alec Thomas

Got rid of mod_proxy and explicitly define the SSL virtual server.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.