Unable to use HTTPS for login only

2009-12-24T00:36:24
ID ATLASSIAN:CONF-18120
Type atlassian
Reporter bnguyen
Modified 2017-02-17T05:18:58

Description

If you setup the urlrewrite.xml like so:

{noformat} <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 2.6//EN" "http://tuckey.org/res/dtds/urlrewrite2.6.dtd"> <urlrewrite> <!-- For image references in CSS files --> <rule> <from>^/s/(.)/_/download/images/([^\?]).</from> <run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" /> <to type="forward">/images/$2</to> </rule> <rule> <from>^/s/(.)/_/([^\?]).</from> <run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" /> <to type="forward">/$2</to> </rule>

<rule> <from>^/login.action</from> <condition type="scheme" operator="notequal">https</condition> <to type="redirect">https://localhost:8443/login.action</to> </rule>

&lt;rule&gt;
&lt;from&gt;^/dologin.action&lt;/from&gt;
&lt;condition type="scheme" operator="notequal"&gt;https&lt;/condition&gt;
&lt;to type="redirect"&gt;https://localhost:8443/dologin.action&lt;/to&gt;
&lt;/rule&gt;

&lt;rule&gt;
&lt;from&gt;^/(.*)&lt;/from&gt;
&lt;condition type="scheme" operator="equal"&gt;https&lt;/condition&gt;
&lt;condition type="request-uri" operator="notequal"&gt;/login.action.*&lt;/condition&gt;
&lt;condition type="request-uri" operator="notequal"&gt;/dologin.action.*&lt;/condition&gt; 
&lt;condition type="request-uri" operator="notequal"&gt;/s/.*&lt;/condition&gt;
&lt;to type="redirect"&gt;http://localhost:8080/$1&lt;/to&gt;
&lt;/rule&gt;

</urlrewrite> {noformat}

You are continually redirected to the login page.

It appears when redirecting https://localhost:8443/homepage.action to http://localhost:8080/homepage.action the session is invalidated.

h3. Atlassian Status

All,

We have discussed the use of "HTTPS for login only" in a lot of detail. After looking at the various options, we have concluded that we will not be supporting this configuration in Confluence.

Although this configuration used to work in the past, in Confluence 3.0.2 we implemented a security improvement that helped prevent session fixation attacks (CONF-15108). The implications of this security feature meant that customers could no longer use HTTPS for login only. We did look at enabling this configuration again and concluded that we won't be doing so. There are several reasons for this. Many of these reasons have already been discussed in this post and the related issue ([CONF-4116|http://jira.atlassian.com/browse/CONF-4116]).

The main customer feedback we have received on this issue primarily revolves around the use case of customers who wish to protect their LDAP credentials, but aren't as concerned about session hijacking. Unfortunately, this is a misconception of the security provided by using HTTPS for login only. If the "remember me" functionality is used - it is possible that anyone can intercept network traffic (after login) and can decrypt the users credentials. This is due to the way that the "remember me" functionality works.

It is due to this and all the [additional reasons |http://jira.atlassian.com/browse/CONF-4116?focusedCommentId=102037&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_102037] around the support of HTTPS for login only that we will not be implementing this feature.

We will continue work with you in making sure that the configuration you have setup is as secure as possible. Please don't hesitate to contact our [support team|http://support.atlassian.com] for assistance in this matter.

Sherif Confluence Product Manager