dragonchild has asked for the wisdom of the Perl Monks concerning the following question:

I've got a site where I want to allow the user to go to either http://www.foo.com/ or https://www.foo.com/ and be bounced to https:://www.foo.com/cgi-bin/login.cgi. Initially, I was doing this using index.html files that looked something like: 
<html>
  <head>
    <title>www.foo.com Redirect</title>
    <meta
      http-equiv='refresh'
      content='1;URL=/cgi-bin/login.cgi'
    >
  </head>
</html>

[download]

I just read merlyn's column on using 404 as a cache builder. So, I tried out using 403 (cause I have indexing off) and it worked. But, I am uneasy at the fact I seem to be hacking out a solution.

Also, without hard-coding the servername, I don't see a way of getting from within the *:80 virtualhost to the *:443 virtualhost. I mean, using 

  ErrorDocument 403 https://www.foo.com/cgi-bin/login.cgi

[download]
would work, but doesn't it defeat the point of named virtual-hosting? (Or, am I blathering?)

Another concern I have is that does this introduce any issues? I don't mind having every Forbidden query bounce to my login screen for both the :80 and :443 ports. Is there anything else?

------
We are the carpenters and bricklayers of the Information Age.

Please remember that I'm crufty and crochety. All opinions are purely mine and all code is untested, unless otherwise specified.

Replies are listed 'Best First'.
Re: Using 403 as a redirect
by revdiablo (Prior) on Jan 08, 2004 at 21:12 UTC

    I do not have a general reply to your post, but rather a very specific reply to only one question you raised:

    doesn't [hard-coding the servername in an ErrorDocument directive] defeat the point of named virtual-hosting?

    No, it doesn't defeat it, it just makes it possibly less convenient. You can easily use a different ErrorDocument directive for each virtual host. It might be a bit of a pain to work with, but it's not a big problem in my opinion.

    Update: just to make sure I was right, I checked the Apache Documentation and looked up the ErrorDocument directive. It lists the legal context as "server config, virtual host, directory, .htaccess" which verifies what I wrote.

[reply]
[d/l]
Re: Using 403 as a redirect
by bean (Monk) on Jan 09, 2004 at 00:26 UTC
    I don't see any issues unless
    a) you trying to force all your visitors to log in
    AND
    b) you don't have any other authorization enforcement in place.

    You're a Saint and an experienced programmer, so I assume that a) and b) aren't both true. However, I bring it up in case someone less experienced looked at your post and thought this was a complete authentication plan, because it isn't. Anyone who is interested in that should search CPAN for "Auth" - there are a ton of choices out there. I like the ones where you just put directives into the httpd.conf or .htaccess files, but that's a personal preference.

    Also, if I weren't trying to force authentication, I might use the apache Redirect directive or mod_rewrite. (Unless I wanted all Forbidden queries going to the login screen, in which case your solution is the best and not a hack at all.) Of course, if I were forcing authentication, the authentication module would do the redirection itself if the user hadn't logged in yet...
[reply]
      Bad assumption, Mr. bean. I'm an experienced programmer, but I have less experience in the setting up of an Apache application. I can write whatever you want in the app, but this is my first app from start to finish.

      As for your assumptions ... I am both trying to force all visitors to log in AND this is the only authentication that occurs. (Well, authentication sets an expiring cookie with a session ID that is checked against both IP and browser type every request, but it is the only point of authentication.)

      What is wrong with it as a complete authentication plan? I'm not sure where the problem lies ... (It's that Apache-newbie issue again ...)

      Also, note that I'm using Apache2. (I am not currently using MP2, but will once it's stable. We currently don't use or need any MP capabilities, nor will for about 3-6 months.)

      ------
      We are the carpenters and bricklayers of the Information Age.

      Please remember that I'm crufty and crochety. All opinions are purely mine and all code is untested, unless otherwise specified.

[reply]
        Checking the users' cookies every page and redirecting them if they aren't logged in is sufficient - that's the missing part of the authentication plan your original post didn't mention. It isn't the most elegant way of going about it, however; Apache has authentication built in that mod_perl can tap into. If you do that, a user attempting to go into a secure area should get a 401 (Authorization Required) error. Since the entire site is supposed to be secure, a request for a non-existent index (for a user not logged in) should redirect to your login page. (Once a user is logged in that request would receive a 403 (Forbidden) response, since you have indexing turned off).

        I couldn't find anything that does exactly what I like an authentication module to do in CPAN, but Apache::Authen::Generic looks like it is close. Apache::AuthDigest and Apache::AuthenSecurID also hook into Apache's authentication stuff and might be good starting places. Apache changed it's authentication model in 2.1, so if that's the version you're using, Apache::AuthenHook is specifically for 2.1.

        Anyways, the way you are doing it is fine (you are authenticating every page by checking the cookie and redirecting as necessary). Apache2 is a moving target, so I'd stick with your strategy for now.
[reply]
Re: Using 403 as a redirect
by Aristotle (Chancellor) on Jan 11, 2004 at 00:56 UTC
    You don't want that. You want 
    RedirectMatch ^/$ https://www.foo.com/cgi-bin/login.cgi

    [download]
    This is really an Apache question.

    Makeshifts last the longest.

[reply]
[d/l]

Back to Seekers of Perl Wisdom