You are here: Foswiki>Tasks Web>Item1636 (28 Mar 2017, GeorgeClark)Edit Attach

Item1636: Extensions.HttpsRedirectPlugin broken with Apache login

pencil
Priority: Enhancement
Current State: Confirmed
Released In: n/a
Target Release: n/a
Applies To: Extension
Component: HttpsRedirectPlugin
Branches:
Reported By: IngoKappler
Waiting For: PaulHarvey
Last Change By: GeorgeClark
When trying to provide some feedback about the plugin I found that the 3 main links for such stuff are pointing to T*iki locations on HttpsRedirectPlugin. Is that done on purpose? I opened this task to change it and to also leave my feedback now here. wink

Feedback:

When a user uses HTTP and logs in, he has to provide his login credentials twice (apache login method). The first time still using HTTP and then the second time with HTTPS. So the plugin basically works but requires 2 logins. From a security point of view it also raises the question if the login data given during the 1 login trial with HTTP, are sent unsecured against the server. It looks like that, although I didn't verify it so far.

Is this a known limitation or something that could be solved/fixed in future releases?

Thank you, Ingo


I'm going to have a go at updating this plugin. It would be nice if everything SSL'd except wikiguest hitting topics via view script only.

Also, some topics POST sensitive infomration, Eg. ChangePassword, and these should be delivered over SSL even to guests.

-- PaulHarvey - 14 Jan 2010

Just a FYI

Change password actually requires that you authenticate first to see the topic.

Reset password can be done as guest for obvious reasons.

-- KennethLavrsen - 14 Jan 2010

Sorry for my very slow response time. I just found out how to see all my items 'waiting for feedback' wink I don't think I've ever tested that plug-in with Apache login. Template login works fine for me and as far as I can tell credentials are sent encrypted. I'm no security expert though. Not sure how to deal with the Apache login issue. Could anyone reproduce that bug? I've changed the item summary.

It's true the plug-in page links to T*ki. I'll fix that quick on fw.org. WillNorris already fixed that in Subversion: http://trac.foswiki.org/changeset/3958

-- StephaneLenclud - 28 Apr 2010

I've been working on this. Mixed http & https Foswiki is a pain. There are three things at work here:
  • Configuring Apache to always redirect "secure" scripts to https (this includes 'login' if you are using apacheauth)
  • Modification of HttpsRedirectPlugin to determine if, in a given http request, the client has an (authenticated) session available over https. Non-trivial because FOSWIKISID cookie has the secure flag set! #PluginMod
  • Modification of Foswiki's LoginManager.pm to avoid session cookie name conflicts for HTTP vs HTTPS. Otherwise, when you visit the wiki over http, Foswiki doesn't see the FOSWIKISID cookie (the browser is complying with secure flag, it's not sent) and serves up a new FOSWIKISID; so even if you redirect back to https, you're under a new session, and you lose your old one. #LoginManagerMod

Plugin mod

sub initPlugin {
    my ( $topic, $web, $user, $installWeb ) = @_;
    my $requestObj;
    my $context = Foswiki::Func::getContext();

    # check for Plugins.pm versions
    if ( $Foswiki::Plugins::VERSION < 1.026 ) {
        Foswiki::Func::writeWarning(
            'Version mismatch between ' . __PACKAGE__ . ' and Plugins.pm' );
        return 0;
    }

    $debug = $Foswiki::cfg{Plugins}{HttpsRedirectPlugin}{Debug} || 0;
    if ( defined &Foswiki::Func::getRequestObject ) {

        # Foswiki 1.1+
        $requestObj = Foswiki::Func::getRequestObject();
    }
    else {

        # Foswiki 1.0
        $requestObj = Foswiki::Func::getCgiQuery();
    }
    if ( $requestObj->https() ) {
        if ( not Foswiki::Func::isGuest() ) {
            _setRedirectCookie( $requestObj, 1 );
        }
        else {
            _setRedirectCookie( $requestObj, undef );
        }
    }
    elsif (
        (
               not Foswiki::Func::isGuest()
            or $requestObj->cookie('FOSWIKIHttpsRedirect')
            or $context->{'login'}
        )
        and not $context->{'command_line'}
      )
    {
        _doRedirect($requestObj);
    }

    # Plugin correctly initialized
    return 1;
}

sub _doRedirect {
    my ($requestObj) = @_;
    my $url = $requestObj->url() . $requestObj->path_info();

    # TODO: We lose the #anchorpart here :-(
    if ( $requestObj->query_string() ) {
        $url .= '?' . $requestObj->query_string();
    }
    $url =~ s/^http/https/;
    Foswiki::Func::writeDebug("HttpsRedirectPlugin: redirecting to: $url")
      if $debug;
    Foswiki::Func::redirectCgiQuery( $requestObj, $url );

    return;
}

# ApacheLogin: Auth is carried in http rather than cookies. It's not
# possible to tell if a user has an authenticated session over on the
# https side if they've accidentally returned to http. So, we set a
# special cookie (with secure flag off) that can be read by the server
# on both http and https protocols.
sub _setRedirectCookie {
    my ( $requestObj, $value ) = @_;

    if ( $Foswiki::cfg{LoginManager} ne 'Foswiki::LoginManager::TemplateLogin' )
    {
        Foswiki::Func::writeDebug(
            'HttpsRedirectPlugin: Setting redirect cookie')
          if $debug;
        if (    $Foswiki::Plugins::SESSION
            and $Foswiki::Plugins::SESSION->{response} )
        {
            my @cookies = $Foswiki::Plugins::SESSION->{response}->cookies();

            if ( $value or $requestObj->cookie('FOSWIKIHttpsRedirect') ) {
                push(
                    @cookies,
                    CGI::Cookie->new(
                        -name     => 'FOSWIKIHttpsRedirect',
                        -value    => $value,
                        -httponly => 1
                    )
                );
            }
            $Foswiki::Plugins::SESSION->{response}->cookies( [@cookies] );
        }
        else {
            print STDERR
"HttpsRedirectPlugin - incompatible Foswiki: couldn't peek at response obj\n";
        }
    }
    elsif ($debug) {
        Foswiki::Func::writeDebug(
            'HttpsRedirectPlugin: Not setting redirect cookie for TemplateLogin'
        );
    }

    return;
}

LoginManager mod

diff --git a/lib/Foswiki/LoginManager.pm b/lib/Foswiki/LoginManager.pm
index 6142fb8..7402dc1 100644
--- a/lib/Foswiki/LoginManager.pm
+++ b/lib/Foswiki/LoginManager.pm
@@ -90,6 +90,7 @@ sub makeLoginManager {
         && !$session->inContext('command_line') )
     {
 
+        my $sessionname;
         my $use = 'use Foswiki::LoginManager::Session';
         if ( $Foswiki::cfg{Sessions}{UseIPMatching} ) {
             $use .= ' qw(-ip_match)';
@@ -97,13 +98,19 @@ sub makeLoginManager {
         $use .= '; use CGI::Cookie ()';
         eval $use;
         throw Error::Simple($@) if $@;
+        if ( $session->{request}->https() ) {
+            $sessionname = 'SFOSWIKISID';
+        }
+        else {
+            $sessionname = 'FOSWIKISID';
+        }
         if ( $Foswiki::LoginManager::Session::VERSION eq '4.10' ) {
 
             # 4.10 is broken; see Item1989
-            $Foswiki::LoginManager::Session::NAME = 'FOSWIKISID';
+            $Foswiki::LoginManager::Session::NAME = $sessionname;
         }
         else {
-            Foswiki::LoginManager::Session->name('FOSWIKISID');
+            Foswiki::LoginManager::Session->name($sessionname);
         }
     }

-- PaulHarvey - 30 Mar 2011

Created ConfigurableCookieNamesAndPaths proposal now that I've had to modify Foswiki core.

-- PaulHarvey - 30 Mar 2011

See also: BlurAuthCookieName

-- PaulHarvey - 17 Dec 2011

I'm going to move the LoginManager patch into a separate task and commit it to 1.1.5, as I've just been experiencing sessions that last for one request only - due to mixed http and https requests.

-- SvenDowideit - 21 Mar 2012

Decoupled work on HttpsRedirectPlugin from core changes part of the feature proposal. Please create a new task if core features are about to be implemented.

-- MichaelDaum - 02 Jun 2014

I think I've addressed this at least partially by being a bit more aggressive in redirecting to https. Rather than setting a non-secure redirect cookie, I just let the http: access remain as guest. If the user has authenticated, then the https:// connections will find it. So I've added 2 redirect conditions:
  • Any script in {AuthScripts}
  • Any request to access a topic that results in forceAuthentication().

Right now this is released in Extensions/Testing.HttpsRedirectPlugin and is running on foswiki.org.

-- GeorgeClark - 28 Mar 2017
 

ItemTemplate edit

Summary HttpsRedirectPlugin broken with Apache login
ReportedBy IngoKappler
Codebase 1.0.5, trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component HttpsRedirectPlugin
Priority Enhancement
CurrentState Confirmed
WaitingFor PaulHarvey
Checkins HttpsRedirectPlugin:0f10a45849fe
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
Release01x01Checkins
Topic attachments
I Attachment Action Size Date Who Comment
HttpsRedirectPlugin.pmpm HttpsRedirectPlugin.pm manage 7 K 30 Mar 2011 - 05:47 PaulHarvey  
Item1636.diffdiff Item1636.diff manage 1 K 30 Mar 2011 - 04:46 PaulHarvey LoginManager.pm
Topic revision: r11 - 28 Mar 2017, GeorgeClark - This page was cached on 22 Nov 2020 - 05:31.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy