http://www.perlmonks.org?node_id=335176


in reply to Re: Switching to SSL under mod_perl
in thread Switching to SSL under mod_perl

I'm not sure I follow. If someone heads to a login page, there's no form yet. On their way, they're redirected over a secure link. When they get to the login page, they're on HTTPS. They enter secret information, it goes over HTTPS, and if they're appropriately authenticated, they get sent to some other page over HTTP, and there's no secret information being sent any more.

It's the same for my other examples--a user tries to visit http://www.mysite.com/edit/secret_table?id=12, they get switched to a secure link before they get there, not after they're entered info.

Back to mod_perl for a sec--does this have to be handled in a PerlTransHandler, or can I just remap the URL in the regular handler I'm using?

  • Comment on Re: Re: Switching to SSL under mod_perl

Replies are listed 'Best First'.
Re: Re: Re: Switching to SSL under mod_perl
by iburrell (Chaplain) on Mar 09, 2004 at 20:25 UTC
    Whether you need mod_perl depends on how you determine if a page needs to be secure or not. If it is simple, like login.cgi and secret_table are always secure, then I would use mod_rewrite. If it is more complex, like secret_table is only protected for id=12, then you need to use mod_perl. I would consider trying to simplyify it so that the need to https is always.

    Also, you might want to consider doing everything with https. This doesn't work on a public login site but makes a lot of sense on an intranet. This has the advantage that you don't have to worry about errors in the access control since everything is encrypted.