Do you have any idea about this error"
"ID1059: Cannot authenticate the user because the URL scheme is not https and requireSsl is set to true in the configuration, therefore the authentication cookie will not be sent. Change the URL scheme to https or set requireSsl to false on the cookieHandler element in configuration."
I connect to ADFS with SSL url but I need more resource as I am not sure I did it correctly?
As the error message indicates, either change your web.config entry to:
<cookieHandler requireSsl=“false“/>
or run your site on SSL and access via https://some site.
Go to your Web Project properties and then in the Project URL option, make sure that the URL starts with https and not http
eg: https://localhost:22415/
Related
We want to ensure all sites hosted on apache web server all protected using htpasswd (Apache Basic Authentication)
There are a few sites which are redirected from http to https, and the above authentication goes into a redirect loop on HTTPS (on further,related reading it seems that HTTP basic authentication compares the password (encrypted) format in plain text)
We have tried several samples/snippets to make basic authentication prompt work on HTTPS, but every code snippet results into multiple redirect loop and back to Auth prompt even when I key the correct password.
The links that I have already referred are : Apache .htaccess redirect to HTTPS before asking for user authentication
https://webmasters.stackexchange.com/questions/8853/properly-force-ssl-with-htaccess-no-double-authentication
Do HTTP authentication over HTTPS with URL rewriting
We have tried all the combinations SSLRequireSSL, writing it in other VirtualHost, but nothing seems to work as site redirects from HTTP to HTTPS during the Authentication, Furthermore, there are no error logs of any kind, so it implies the .htaccess and apache config is fine.
SSL,rewrite,auth etc modules are already enabled on the server
My setup is as follows:
client -> proxy(dnsname eg. https://test.com) -> Jetty webapp(1.2.3.4)
The webapp sends a redirect response back (to an authentication webapp) to the client. It automatically points to the proxy via dnsname eg. https://proxy/auth and cannot be configured further.
The issue with this is the webapp will pass redirects back to the client and the client cannot resolve https://proxy as I can't make it a dns entry. Is it then possible for the proxy to intercept the traffic from the webapp (https://proxy) and change it to https://test.com? Even better can the proxy autodetect the entry dns name and append it to any responses from the webapp?
I'd envisioned the following:
client request https://test.com/page1-> hits proxy which resolves to webapp -> webapp gives redirect response via https://proxy/auth -> proxy intercepts and changes redirect to https://test.com/auth
I need this so that everything behind the proxy isn't machine nor ip specific. I can shift and deploy to any environment.
I figured this out eventually. You can just modify the redirect headers in the location field.
Header edit Location "(^http[s]?://proxy)" "https://whatevernameyouwant"
My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.
When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.
How can I remove session cookies' secure flag using mod_header?
I already tried to add an option into web.xml like below.
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.
Here is my own solution added to httpd-vhost.conf for now:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
I enabled Use HTTPS for logins in HTTP Security. It works fine when I enter root address (mymoodlewebsite.com). Unfortunately it is possible to login through unsecured connection in two cases:
When session expires - Moodle asks for credentials via http login page (http:// (...) /login/index.php)
It is possible to change protocol in address bar from https to http.
After login communication is not encrypted (It should be this way).
I use Debian/Apache server.
What should I do to eliminate possibility of insecure login?
Maybe you could resolve this problem by using an Apache redirect. Create a file in login folder and name it .htaccess, then insert these lines:
# HTTP 301 redirect
RewriteEngine On
RedirectMatch 301 ^/login/login\.php$ https://%{HTTP_HOST}/login/login.php
You must have the rewrite module enabled, otherwise this solution won't work.
add this code in your moodle/config.php file
$CFG->loginhttps=false;
I tried to follow the following stackoverflow answer with no luck
Use HTTPS only for certain pages in servlet based webapp
Here is what i did, created a self signed cert, installed it in tomcat, my entire website works on https. Then i followed the link above to make my login alone https. When i click on login page, the url takes to https://mywebsite.com:8443/signin.htm. I have started my SSL Connector on 443, why is it trying to connect to 8443?
The issue was the redirects in the Connector tag. In server.xml, i had 2 connector, for http(80) and https(443). But the redirect attribute in those connector was set to 8443. I think this means, when the page is on http(80), and according to web.xml we are asking it to goto secure page for example for login then it looks at redirect attribute of http(80) connector. I changed this to 443 and it worked fine.