post from non-ssl to ssl domain via .htaccess RewriteRule

Question

I developed a mobile web application that used to authenticate the login and registration some backend service. While the application was packaged using phonegap I had no cross domain posting issues as to be expected.

I am currently in the process of making this web application publicly accessible via a browser ie no longer packaged with Phonegap. The problem is that I now have cross domain issues posting to this other server, I was able to get around a couple of the issues with a simple RewriteRule in my .htaccess file on my server, effectivly proxying my requests. The part that Im stuck with is proxying my regular HTTP posts to a HTTPS endpoint.

Is this even possible?

I am trying something like this:

RewriteRule ^app/login$ https://somedomain:8443/mobileLogin$1 [P,L]

I know I should get SSL up and running on my domain but for now I just need to get a preview link available.

Is there a RewriteRule that will allows this post to happen, irrespective of the security risks?

At the moment I just get a Status Code:403 Forbidden

Thanks a mill

Answer 1

You won't be able to proxy requests from a non-secure to a secure domain (you have the 'P' flag in your rewrite rule indicating a proxy request). This is possible without proxying and not considered a security risk. The only thing that you need to be aware of is that it is a secure domain and a different second level domain to your non-secure domain. To overcome this, you can set a cookie on the originating domain using a token passed a token from the secure domain. This is a typical pattern used many SSO solutions.

With respects to your rewrite rule, something like:

RewriteRule ^app/login$ https://somedomain:8443/mobileLogin$1 [R=302,L]