Can not enable SSL just for the login page

[jnordstrom]

I am using an apache reverse proxy as an SSL termination point. In order for apache to redirect the user's browser to HTTPS for login the apache server needs to be notified that the user is viewing a login page. This is usually accomplished by the application issuing a redirect to /login when the user is not authenticated or a user's session has expired, unfortunately roundcube does an internal forward as a result apache has no knowledge the user is seeing the login page and is unable to enable HTTPS. This issue will also apply to other security systems and SSL termination products. Using SSL for all communication is way to expensive. Moving to a REST based URL structure might resolve the issue.

[till]

I don't have SSL at my disposal.

Can you test if you login on e.g: https://server/roundcube

Are you automatically logged on here: http://server/roundcube

I'm not sure if the session "persists" on both. Let me know what you find.

Also, in 99% of all browsers the user is presented with a popup when he lives an encrypted (= SSL) connection to another which is unencrypted. IMO a no-go. I would stop using your webmail.

I also reset the issue to "none" (along with Severity and Priority) since this is not a security issue. More an issue of "I don't have enough resources". ;-) Personally I know that many people indeed want SSL on their entire mail session because the login and password to their email account is not the only thing that is confidential.

I also don't know what this got to do with REST. I sense buzzwords. ;-)))

Anyway, let me know what you find out!

[jnordstrom]

Since I setup apache as a reverse proxy which terminates the SSL session. Only the communication between the client(browser) and the apache server is using SSL. Once the request hits the server it is sent clear text to roundcube, meaning roundcube has no knowledge the session is encrypted. So roundcube's session if unaffected.

I think most users disable the SSL warning and watch for the pad lock in their browser window to confirm a valid SSL session.

The problem with full time SSL is the cost, I think it's something like 5x normal HTTP request. I believe Yahoo gives you the option to login via SSL. Sites like buy.com, amazon.com etc, only use SSL for login and checkout.

Sorry for the buzzwords what I was trying to say was use:

http://server/roundcube/mail/logout instead of http://www.coolkidmail.net/?_task=mail&_action=logout&true

and

http://www.coolkidmail.net/mail/INBOX/show/17 instead of http://www.coolkidmail.net/?_task=mail&_action=show&_uid=17&_mbox=INBOX

For my proposes all I need is a redirect to http://server/roundcube/login when a user is required to login (is not logged in, session has expired, etc)

When the server issues a redirect to the browser (http://server/roundcube/login), the browser will redirect, the apache server will see a request for http://server/roundcube/login and redirect the browser to https://server/roundcube/login (SSL). If the next URL does not have /login in it apache will redirect the browser back to http.

[till]

I see your point, and I'll review this again as soon as I have time. Give us a while, or work up a patch to speed things up.

[jnordstrom]

Thanks so much, I spend a day or two in the PHP code trying to resolve this, the problem I was having it triggering a redirect at the right points and circular redirects, I'll give it another go.