Modify ↓
#2099 closed defect (fixed)
trac-hacks.org authentication fails when using https
| Reported by: | anonymous | Owned by: | Alec Thomas |
|---|---|---|---|
| Priority: | normal | Component: | TracHacks |
| Severity: | normal | Keywords: | authentication |
| Cc: | Trac Release: | 0.10 |
Description
I can log in successfully to http://trac-hacks.org/, but when i try to use the site over HTTPS, the login attempt appears to succeed, but i get bounced back to plain HTTP, i'm no longer at the page i started from (i'm back at the home page), and i'm not authenticated. Not sure why that's happening.
Attachments (0)
Change History (5)
comment:1 Changed 18 years ago by
comment:2 Changed 18 years ago by
Yeah, I'm aware of this, and it appears to be related to using mod_proxy. Not sure what the fix is TBH.
comment:3 Changed 18 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
This should be working now.
comment:5 Changed 18 years ago by
Got rid of mod_proxy and explicitly define the SSL virtual server.
Note: See
TracTickets for help on using
tickets.
oops. this ticket was filed by me -- i must have de-authenticated in another tab while trying to debug this.
the problem is pretty clearly that the login page wants to redirect the user to an http://trac-hacks.org/ URL, and isn't willing to entertain a REFERER set to https://trac-hacks.org/
Maybe that's a problem with the authentication module you're using?
fwiw, here's a wget display of the headers involved (unique tokens have been scrambled):
[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=https://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login --14:06:16-- https://dkgdkg:*password*@trac-hacks.org/login => `login' Resolving trac-hacks.org... 72.36.197.172 Connecting to trac-hacks.org|72.36.197.172|:443... connected. WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Mon, 22 Oct 2007 18:06:42 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Pragma: no-cache Cache-control: no-cache Expires: Fri, 01 Jan 1999 00:00:00 GMT Set-Cookie: trac_auth=fb97eXXXXXXXXXXXXXXXXXXX3f75f; Set-Cookie: trac_form_token=23XXXXXXXXXXXXXXXXXXX3ae; Location: http://trac-hacks.org Content-Type: text/plain; charset=UTF-8 Via: 1.0 trac-hacks.org Connection: close Location: http://trac-hacks.org [following] --14:06:16-- http://trac-hacks.org/ => `index.html' Connecting to trac-hacks.org|72.36.197.172|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 Ok Date: Mon, 22 Oct 2007 18:06:42 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Cache-control: must-revalidate Expires: Fri, 01 Jan 1999 00:00:00 GMT Set-Cookie: trac_auth=; expires=Mon, 22-Oct-2007 15:20:04 GMT; Set-Cookie: trac_session=b1e6XXXXXXXXXXXXXX3ea7; expires=Sun, 20-Jan-2008 18:06:44 GMT; Content-Length: 109671 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 Length: 109,671 (107K) [text/html] 100%[====================================>] 109,671 368.41K/s 14:06:18 (368.25 KB/s) - `index.html' saved [109671/109671] [0 dkg@squeak ~]$As you can see, the authentication succeeds, but i'm redirected back to http://trac-hacks.org/, despite the REFERER being this ticket.
If i do the same wget, but with an http referer instead of https:, i get a valid login, and i'm redirected to the correct page (though of course my session tokens are transmitted back in the clear to the server, allowing a session hijack for anyone in the network chain):
[0 dkg@squeak ~]$ wget --no-check-certificate -S --referer=http://trac-hacks.org/ticket/2099 https://dkgdkg:blahblahblah@trac-hacks.org/login --14:19:30-- https://dkgdkg:*password*@trac-hacks.org/login => `login' Resolving trac-hacks.org... 72.36.197.172 Connecting to trac-hacks.org|72.36.197.172|:443... connected. WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Mon, 22 Oct 2007 18:19:56 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Pragma: no-cache Cache-control: no-cache Expires: Fri, 01 Jan 1999 00:00:00 GMT Set-Cookie: trac_auth=788dXXXXXXXXXXXXXXXXXXXXXXXx61122; Set-Cookie: trac_form_token=bb49XXXXXXXXXXXXXXXXXXX87df; Location: https://trac-hacks.org/ticket/2099 Content-Type: text/plain; charset=UTF-8 Via: 1.0 trac-hacks.org Connection: close Location: https://trac-hacks.org/ticket/2099 [following] --14:19:30-- https://trac-hacks.org/ticket/2099 => `2099' Connecting to trac-hacks.org|72.36.197.172|:443... connected. WARNING: Certificate verification error for trac-hacks.org: self signed certificate in certificate chain HTTP request sent, awaiting response... HTTP/1.1 200 Ok Date: Mon, 22 Oct 2007 18:19:57 GMT Server: Apache/2.0.55 (Ubuntu) DAV/2 SVN/1.3.2 mod_ssl/2.0.55 OpenSSL/0.9.8a mod_wsgi/1.0c1 Python/2.4.3 Cache-control: must-revalidate Expires: Fri, 01 Jan 1999 00:00:00 GMT Content-Length: 21367 Content-Type: text/html;charset=utf-8 Via: 1.0 trac-hacks.org Connection: close Length: 21,367 (21K) [text/html] 100%[====================================>] 21,367 136.38K/s 14:19:31 (135.66 KB/s) - `2099' saved [21367/21367] [0 dkg@squeak ~]$btw, sorry about the
--no-check-certificate-- i couldn't find a path to your issuing authority in my CA list (i'm running debian lenny). don't think that's relevant to this ticket, though.