HTTPS edit required no authentication

Hello,

I've setup authentication on my ikiwiki website using httpauth plugin. I've also disabled anonok, openid and passwordauth so that httpauth is the unique authentication method. I've configured the cgiauthurl to https://example.com/auth/ikiwiki.cgi in order to make the authentication more secured (password is never sent in clear). My url points to http://example.com/ and my cgiurl points to http://example.com/ikiwiki.cgi .

When I try to edit a page accessed by http, everything works fine: there is a redirection to https://example.com/auth/ikiwiki.cgi (defined in cgiauthurl) and my browser launches an HTTP Basic Authentication login form. But when I try to edit a page accessed by https there is no redirection to the cgiauthurl url. Instead, I can edit (and save) the page without authentication. I've tried this with a fresh new browser session where I have never been asked for authentication before. It seems that editing pages directly from https://example.com/ikiwiki.cgi?page=page&do=edit works without authentication...

I think that the Ikiwiki CGI do not redirect to cgiauthurl when it is accessed by HTTPS.

RSS

comment 1

I have a site like this and can't reproduce the bug. What version of ikiwiki are you running? Can you post your ikiwiki.setup, and perhaps also your web server configuration?

Comment by Amitai — Tue Oct 14 18:25:13 2014

Remove comment

comment 2

I can't reproduce this either.

Do you perhaps still have an ikiwiki login session cookie stored in your browser from when you previously used passwordauth or openid? (In Firefox: Edit->Preferences, Privacy tab, Show Cookies.)

The login sessions that are considered to be valid are stored in .ikiwiki/sessions.db in your wiki's srcdir.

Comment by smcv — Wed Oct 15 19:26:52 2014

Remove comment

comment 3

It might also be interesting to visit your wiki's preferences page (ikiwiki.cgi?do=prefs) which should tell you who you are logged-in as. If you "view source" it will also show you your session ID, which should match what's in the ikiwiki_session_something cookie.

Comment by smcv — Wed Oct 15 19:30:21 2014

Remove comment

It was an Apache problem...

Hello,

thank you for your comments. The problem comes from the Apache configuration. I use a git-http-backend on this server and I affect the content of the REMOTE_USER environment variable like this:

SetEnv REMOTE_USER=$REDIRECT_REMOVE_USER

Ikiwiki CGI seems to use this variable to determine which is the current user. Even if the variable content is NULL, ikiwiki.cgi use it.

I just changed this to:

SetEnvIf Request_URI "^/git/" REMOTE_USER=$REDIRECT_REMOVE_USER