Redirect certain URLs to HTTPS, everything else HTTP
Basically, login.php admin.php reset.php (and any queries on those) to redirect to HTTPS version. All other pages should redirect to HTTP if they are accessed on HTTPS. Not sure how to accomplish this efficiently. Any help?
3 Replies
@jbenamy:
login.php admin.php reset.php (and any queries on those) to redirect to HTTPS version.
If you're getting a redirect loop, RewriteCond is your friend.
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off # The following rules only take effect if HTTPS is off
RewriteCond $1 ^(login|admin|reset)\.php
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L]
I'm not sure if these exact rules will work in your case, because there are lots of other things that might affect Apache's behavior. But your rules should look something like that.
@jbenamy:
All other pages should redirect to HTTP if they are accessed on HTTPS.
Nope, I'm not going to tell you how to do that, because that would be irresponsible.
If you access your site over an insecure wifi connection, log in over HTTPS, and then access even a single page on the same domain over plain HTTP (like testing something while doing admin tasks in another tab), you've just eliminated the benefit of logging in over HTTPS. The only way your server can tell whether or not you've logged in is with a cookie. That cookie can be stolen if you access the same domain over plain HTTP after logging in. If an attacker has the cookie, they don't even need to know your password.
So, unless you want to use a secure cookie that keeps logging you out whenever you hit an HTTP page, the only solution is to keep using HTTPS until you log out. In other words, it's perfectly OK to redirect from HTTP to HTTPS, but very dangerous to redirect from HTTPS to HTTP. The only place where it's OK to redirect from HTTPS to HTTP is the logout page.
> If an attacker has the cookie, they don't even need to know your password.
And chances are they'll be able to change your password from the interface anyway after they've authenticated using your cookie.
The only redeeming effect is in the case where you use the same password in different places. In that case, at least the attacker won't know your password.
But yeah, hybinet is spot on.
@hybinet:
@jbenamy:login.php admin.php reset.php (and any queries on those) to redirect to HTTPS version.
If you're getting a redirect loop, RewriteCond is your friend.RewriteEngine On RewriteBase / RewriteCond %{HTTPS} off # The following rules only take effect if HTTPS is off RewriteCond $1 ^(login|admin|reset)\.php RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L]I'm not sure if these exact rules will work in your case, because there are lots of other things that might affect Apache's behavior. But your rules should look something like that.
@jbenamy:All other pages should redirect to HTTP if they are accessed on HTTPS.
Nope, I'm not going to tell you how to do that, because that would be irresponsible.If you access your site over an insecure wifi connection, log in over HTTPS, and then access even a single page on the same domain over plain HTTP (like testing something while doing admin tasks in another tab), you've just eliminated the benefit of logging in over HTTPS. The only way your server can tell whether or not you've logged in is with a cookie. That cookie can be stolen if you access the same domain over plain HTTP after logging in. If an attacker has the cookie, they don't even need to know your password.
So, unless you want to use a secure cookie that keeps logging you out whenever you hit an HTTP page, the only solution is to keep using HTTPS until you log out. In other words, it's perfectly OK to redirect from HTTP to HTTPS, but very dangerous to redirect from HTTPS to HTTP. The only place where it's OK to redirect from HTTPS to HTTP is the logout page.
Thank you for this information. This was immensely helpful.