Item1636: Extensions.HttpsRedirectPlugin broken with Apache login
Priority: Enhancement
Current State: Confirmed
Released In: n/a
Target Release: n/a
When trying to provide some feedback about the plugin I found that the 3 main links for such stuff are pointing to T*iki locations on
HttpsRedirectPlugin. Is that done on purpose? I opened this task to change it and to also leave my feedback now here.
Feedback:
When a user uses HTTP and logs in, he has to provide his login credentials twice (apache login method). The first time still using HTTP and then the second time with HTTPS. So the plugin basically works but requires 2 logins. From a security point of view it also raises the question if the login data given during the 1 login trial with HTTP, are sent unsecured against the server. It looks like that, although I didn't verify it so far.
Is this a known limitation or something that could be solved/fixed in future releases?
Thank you,
Ingo
I'm going to have a go at updating this plugin. It would be nice if everything SSL'd except wikiguest hitting topics via view script only.
Also, some topics POST sensitive infomration, Eg.
ChangePassword, and these should be delivered over SSL even to guests.
--
PaulHarvey - 14 Jan 2010
Just a FYI
Change password actually requires that you authenticate first to see the topic.
Reset password can be done as guest for obvious reasons.
--
KennethLavrsen - 14 Jan 2010
Sorry for my very slow response time. I just found out how to see all my items 'waiting for feedback'
I don't think I've ever tested that plug-in with Apache login. Template login works fine for me and as far as I can tell credentials are sent encrypted. I'm no security expert though. Not sure how to deal with the Apache login issue. Could anyone reproduce that bug?
I've changed the item summary.
It's true the plug-in page links to T*ki. I'll fix that quick on fw.org.
WillNorris already fixed that in Subversion:
http://trac.foswiki.org/changeset/3958
--
StephaneLenclud - 28 Apr 2010
I've been working on this. Mixed http & https Foswiki is a pain. There are three things at work here:
- Configuring Apache to always redirect "secure" scripts to https (this includes 'login' if you are using apacheauth)
- Modification of HttpsRedirectPlugin to determine if, in a given http request, the client has an (authenticated) session available over https. Non-trivial because
FOSWIKISID
cookie has the secure
flag set! #PluginMod
- Modification of Foswiki's
LoginManager.pm
to avoid session cookie name conflicts for HTTP vs HTTPS. Otherwise, when you visit the wiki over http, Foswiki doesn't see the FOSWIKISID
cookie (the browser is complying with secure flag, it's not sent) and serves up a new FOSWIKISID
; so even if you redirect back to https, you're under a new session, and you lose your old one. #LoginManagerMod
Plugin mod
sub initPlugin {
my ( $topic, $web, $user, $installWeb ) = @_;
my $requestObj;
my $context = Foswiki::Func::getContext();
# check for Plugins.pm versions
if ( $Foswiki::Plugins::VERSION < 1.026 ) {
Foswiki::Func::writeWarning(
'Version mismatch between ' . __PACKAGE__ . ' and Plugins.pm' );
return 0;
}
$debug = $Foswiki::cfg{Plugins}{HttpsRedirectPlugin}{Debug} || 0;
if ( defined &Foswiki::Func::getRequestObject ) {
# Foswiki 1.1+
$requestObj = Foswiki::Func::getRequestObject();
}
else {
# Foswiki 1.0
$requestObj = Foswiki::Func::getCgiQuery();
}
if ( $requestObj->https() ) {
if ( not Foswiki::Func::isGuest() ) {
_setRedirectCookie( $requestObj, 1 );
}
else {
_setRedirectCookie( $requestObj, undef );
}
}
elsif (
(
not Foswiki::Func::isGuest()
or $requestObj->cookie('FOSWIKIHttpsRedirect')
or $context->{'login'}
)
and not $context->{'command_line'}
)
{
_doRedirect($requestObj);
}
# Plugin correctly initialized
return 1;
}
sub _doRedirect {
my ($requestObj) = @_;
my $url = $requestObj->url() . $requestObj->path_info();
# TODO: We lose the #anchorpart here :-(
if ( $requestObj->query_string() ) {
$url .= '?' . $requestObj->query_string();
}
$url =~ s/^http/https/;
Foswiki::Func::writeDebug("HttpsRedirectPlugin: redirecting to: $url")
if $debug;
Foswiki::Func::redirectCgiQuery( $requestObj, $url );
return;
}
# ApacheLogin: Auth is carried in http rather than cookies. It's not
# possible to tell if a user has an authenticated session over on the
# https side if they've accidentally returned to http. So, we set a
# special cookie (with secure flag off) that can be read by the server
# on both http and https protocols.
sub _setRedirectCookie {
my ( $requestObj, $value ) = @_;
if ( $Foswiki::cfg{LoginManager} ne 'Foswiki::LoginManager::TemplateLogin' )
{
Foswiki::Func::writeDebug(
'HttpsRedirectPlugin: Setting redirect cookie')
if $debug;
if ( $Foswiki::Plugins::SESSION
and $Foswiki::Plugins::SESSION->{response} )
{
my @cookies = $Foswiki::Plugins::SESSION->{response}->cookies();
if ( $value or $requestObj->cookie('FOSWIKIHttpsRedirect') ) {
push(
@cookies,
CGI::Cookie->new(
-name => 'FOSWIKIHttpsRedirect',
-value => $value,
-httponly => 1
)
);
}
$Foswiki::Plugins::SESSION->{response}->cookies( [@cookies] );
}
else {
print STDERR
"HttpsRedirectPlugin - incompatible Foswiki: couldn't peek at response obj\n";
}
}
elsif ($debug) {
Foswiki::Func::writeDebug(
'HttpsRedirectPlugin: Not setting redirect cookie for TemplateLogin'
);
}
return;
}
LoginManager mod
diff --git a/lib/Foswiki/LoginManager.pm b/lib/Foswiki/LoginManager.pm
index 6142fb8..7402dc1 100644
--- a/lib/Foswiki/LoginManager.pm
+++ b/lib/Foswiki/LoginManager.pm
@@ -90,6 +90,7 @@ sub makeLoginManager {
&& !$session->inContext('command_line') )
{
+ my $sessionname;
my $use = 'use Foswiki::LoginManager::Session';
if ( $Foswiki::cfg{Sessions}{UseIPMatching} ) {
$use .= ' qw(-ip_match)';
@@ -97,13 +98,19 @@ sub makeLoginManager {
$use .= '; use CGI::Cookie ()';
eval $use;
throw Error::Simple($@) if $@;
+ if ( $session->{request}->https() ) {
+ $sessionname = 'SFOSWIKISID';
+ }
+ else {
+ $sessionname = 'FOSWIKISID';
+ }
if ( $Foswiki::LoginManager::Session::VERSION eq '4.10' ) {
# 4.10 is broken; see Item1989
- $Foswiki::LoginManager::Session::NAME = 'FOSWIKISID';
+ $Foswiki::LoginManager::Session::NAME = $sessionname;
}
else {
- Foswiki::LoginManager::Session->name('FOSWIKISID');
+ Foswiki::LoginManager::Session->name($sessionname);
}
}
--
PaulHarvey - 30 Mar 2011
Created
ConfigurableCookieNamesAndPaths proposal now that I've had to modify Foswiki core.
--
PaulHarvey - 30 Mar 2011
See also:
BlurAuthCookieName
--
PaulHarvey - 17 Dec 2011
I'm going to move the
LoginManager patch into a separate task and commit it to 1.1.5, as I've just been experiencing sessions that last for one request only - due to mixed http and https requests.
--
SvenDowideit - 21 Mar 2012
Decoupled work on
HttpsRedirectPlugin from core changes part of the feature proposal. Please create a new task if core features are about to be implemented.
--
MichaelDaum - 02 Jun 2014
I think I've addressed this at least partially by being a bit more aggressive in redirecting to https. Rather than setting a non-secure redirect cookie, I just let the http: access remain as guest. If the user has authenticated, then the
https:// connections will find it. So I've added 2 redirect conditions:
- Any script in
{AuthScripts}
- Any request to access a topic that results in forceAuthentication().
Right now this is released in
Extensions/Testing.HttpsRedirectPlugin and is running on foswiki.org.
--
GeorgeClark - 28 Mar 2017