Entering U & P twice on protected folder.

[salewit]

Hi. If I create a folder called "admin" and password protect it, the person going to it gets prompted for a user and password.

Let's say in this folder I have a menu with two items in it as follows:

Code:

<a href="https://secure37.nocdirect.com/~abcdef/admin/script.php">link1</a>
<a href="http://www.abcdef.com/admin/script.php">link2</a>

When you click on link 2, you get sent to it right away. When you click on link 1, you're prompted for the user and password again. Is there any way to avoid having someone enter their user and password twice in this example?

Thanks
Sam

[Spathiphyllum]

I'm afraid not as far as I'm aware. Each server-based authentication uses a scheme whereby the domain access via http or https is considered seperate and unique. The first access via unsecured protocol prompts the uname/passw and proper authentication prompts are avoided upon subsequent requests. If you try a secured protocol, the server considers it unique and must validate the uname/passw once again. It would work in reverse as well. Get validated by secured first and then try unsecured, you'll be prompted twice as well. That's the current authentication protocol.

To avoid it, you'd need to change your validation scheme to an application-based one rather than a server-based one at a minimum.

[Gwaihir]

You could also try to get https on www.adcdef.com. If it's just an admin entrance, you can usually explain the concept of a self signed certificate to those involved. (I.e. a certificate that is not automatically marked trusted via the browser, but is free of cost to you). You probably do still need a dedicated IP to make it tick ($1/month).

[salewit]

Hmmm well we were going to use a real SSL anyway. We process a small number of credit cards using the shared, and I'm trying to convince the powers that be that we need our own certificate. But the big question is, will switching back and forth from http://www.abcdef to https://www.abcdef still cause the same problem?

[Spathiphyllum]

Hmmm well we were going to use a real SSL anyway. We process a small number of credit cards using the shared, and I'm trying to convince the powers that be that we need our own certificate. But the big question is, will switching back and forth from http://www.abcdef to https://www.abcdef still cause the same problem?

Yes. The certificate used, whether a shared one or a specific one dedicated to one domain, makes no difference. Using password protected directories with the Apache server checking the restricted access cares only that a different protocol was used. One part of the overall handshake sequence is to validate the certificate uniquely identifies a physical server and "root" path (which is where the CA digital cert comes in) while the other is to validate the authentication scheme. These are two completely different processes.

[Spathiphyllum]

Actually, a better summary follows:

See "Why does it sometimes ask me for my password twice?" from Authentication, Authorization, and Access Control. Read the whole thing but focus on that subsection.