tips:httpslogin
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
tips:httpslogin [2015-12-01 11:45] – [30 Nov 15 - do] yarl | tips:httpslogin [2018-09-29 11:31] (current) – [Apache] added example of a simple rule for https for all pages bruno.genere | ||
---|---|---|---|
Line 5: | Line 5: | ||
See https:// | See https:// | ||
=====Apache===== | =====Apache===== | ||
- | Using Apache' | + | Using Apache' |
- | You may want to read up on [[:rewrite|general | + | You may also need that all requests (and not only login) use HTTPS. To do so, create an .htaccess file in the root directory of DokuWiki and insert the following code. |
+ | <code apache .htaccess> | ||
+ | RewriteCond %{HTTPS} !on | ||
+ | RewriteRule (.*) https:// | ||
+ | </ | ||
+ | |||
+ | If you only want to force some specific URL, read up [[:rewrite|URL rewriting]] first. | ||
Redirection to a secured connection which is restricted to a certain set of pages (e.g. login pages) requires their recognition based on the URL. Some pages (e.g. " | Redirection to a secured connection which is restricted to a certain set of pages (e.g. login pages) requires their recognition based on the URL. Some pages (e.g. " | ||
Line 121: | Line 127: | ||
</ | </ | ||
+ | Thanks.. That saved my day! | ||
Line 159: | Line 165: | ||
==== 30 Nov 15 - do ==== | ==== 30 Nov 15 - do ==== | ||
- | Over HTTP, not logged on a inexistant | + | Over HTTP, not logged on a inexistent |
- | I suggest to switch to https on " | + | I suggest to switch to https on " |
- | Also, I'm not sure that this configuration really **needs** secure cookie disabled. Actually, steal a cookie is as easy as steal a cleartext password. Ok, it doesn' | + | Also, I'm not sure that this configuration really **needs** secure cookie disabled, it needs it **enabled** to me. Actually, steal a cookie is as easy as steal a cleartext password. Ok, it doesn' |
+ | Switching back to http, you loose session : abilities to edit, config etc, what's wrong with this? Doing such an action puts you back to https, the cookie is send and you retrieve your session. Maybe some other actions need to switch to https then like media things, etc, I don't know.\\ | ||
+ | These are just suggestions, | ||
+ | |||
+ | ==== 16 Feb 2016 - Use TLS all the time ==== | ||
+ | |||
+ | We should amend this tip to recommend using TLS for all connections. | ||
+ | < | ||
+ | |||
+ | One step further would be to strongly recommend that TLS be configured by default. | ||
+ |
tips/httpslogin.1448966702.txt.gz · Last modified: 2015-12-01 11:45 by yarl