对于 http 和 https,如何仅使用 .htaccess 提示一次?
[英]How to prompt only once with .htaccess for http and https?
问题描述
I'm using .htaccess to protect a website at http://www.domain.com .
我正在使用 .htaccess 来保护位于http://www.domain.com的网站。 Secure pages redirect to https://www.domain.com , and get the apache login prompt again.安全页面重定向到https://www.domain.com ,并再次获得 apache 登录提示。
How can we have only 1 apache login prompt for both http and https? http 和 https 怎么才能只有 1 个 apache 登录提示?
Thank you very much.非常感谢。
1 个解决方案
解决方案1
4 已采纳 2011-08-14 17:18:39
You can't.你不能。 As far as the browser is concerned, http: and https: are two different websites, and you won't get it to tell the https: site which password the user entered for the http: site. As far as the browser is concerned, http: and https: are two different websites, and you won't get it to tell the https: site which password the user entered for the http: site. Doing so would be a serious security bug in general, and the HTTP authentication protocol is not advanced enough to allow the http: server to tell the browser, "it is OK to repeat this password for such-and-such site".这样做通常会是一个严重的安全漏洞,并且 HTTP 身份验证协议不够先进,无法让 http: 服务器告诉浏览器“可以为某某网站重复此密码”。 (And why would you trust a security exception given to you by a mere http: site anyway?) (为什么你会相信仅仅一个 http 给你的安全例外:无论如何?)
Why don't you just do everything over https?你为什么不做所有的事情 https 呢?
Or, put differently, why do you do anything that requires authentication over plain HTTP?或者,换句话说,你为什么要做任何需要对普通 HTTP 进行身份验证的事情? That's not very secure.这不是很安全。 And if you have something on the https site that deserves https security, an attacker could just sniff the passwords from the insecure http connections.如果您在 https 站点上有值得 https 安全性的内容,则攻击者可以从不安全的 http 连接中嗅出密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.