3

On my server that works with nginx, access is protected by a basic http authentication. I am currently developing a piece of code that requires HTTPS redirection, and when this redirection occurs, I have a new authentication popup.

How can I avoid a new authentication popup when switching protocols ?

Flug
  • 131
  • 1
  • 1
  • 8
  • 1
    Hi Flug, your english is a bit unclear so it is difficult to understand what you are asking for. Can you please edit your post and make the language and question more clear? – pkhamre Jan 06 '14 at 12:45

2 Answers2

2

One possible solution is to force your entire site over to HTTPS, so the virtualhost with HTTP only has one job. That is to redirect to HTTPS. The flow will be something like this:

  1. User enters http://www.example.org/
  2. Browser gets redirected to https://www.example.org/
  3. User enters credentials.

Any redirection in the web application will now "just work" without any re-authentication.

Basically what I am proposing is: Avoid switching between protocols mid-session.

pkhamre
  • 6,120
  • 3
  • 17
  • 27
  • Not a very good solution: this will make the load rise a lot due to encryption / decryption + resources not being cacheable – greg0ire Jan 06 '14 at 13:12
  • 1
    @greg0ire The resources in this case are negligible. Might as well make the entire site HTTPS. Basic auth over HTTP *is* the bad practice in this case. Load won't be noticeable on a proper server, and static assets can be served over HTTPS on a CDN if need-be. – Nathan C Jan 06 '14 at 15:39
  • 2
    @NathanC : I think [it actually depends on many things](http://stackoverflow.com/questions/149274/http-vs-https-performance#149397), but as the link I'm pointing to says, the best would be to try and to profile. +1 – greg0ire Jan 06 '14 at 17:04
0

You could generate the redirect to HTTPS link to inlcude the username and password e.g. https://<username>:<password>@yourserver/some/path.

This will fail in IE according to Microsoft KB 834489

HBruijn
  • 77,029
  • 24
  • 135
  • 201