Mod_Rewrite Forums

[danp84]

On my server, I have it set up such that the main site (www.domain.com) exists along with a subdomain (secure.domain.com) which uses SSL.

I do not have access to httpd.conf, but I do have access to .htaccess files in order to do redirects. There are two .htaccess files: one in the unsercure server's root folder and one in the secure subdomain's root folder. I know that redirects in the secure .htaccess file work because successfully redirects a request from http://secure.domain.com to https://secure.domain.com.

When a user clicks a link on the unsecure server that connects to the secure subdomain, redirects are successful (and vice versa). The problem occurs when the user is on the secure site and submits a POST request (like submitting a login form with username and password), I get the Internet Explorer warning:

"You are about to be redirected to a connection that is not secure"

Although the POST request is executing entirely on the secure subdomain server, it appears that the redirects are redirecting via the unsecure server, hence causing the IE warning.

The sequence of code pages goes like this:
1. https://secure.domain.com/login.php (user enters username/password)
2. https://secure.domain.com/process.php (POSTed data goes here for validation)
3. https://secure.domain.com/login.php (redirected to confirm login success)

The following code is found in the secure subdomain's .htaccess file.

Code: Select all

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1  [R,L]

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^login\.php$ /login [R=301,L]
RewriteRule ^login$ /login.php [QSA,L]


Is there any way to avoid the IE warning?

[richardk]

What is the <form>s action="" attributes value?

[danp84]

It is...

Code: Select all

<FORM action='https://secure.domain.com/process.php' method='POST'>

I apologize in advance if this is turning out not to be a mod_rewrite issue.

[richardk]

I don't think the mod_rewrite is causing it. Try removing the mod_rewrite, clearing your browser's cache and seeing if it still happens.

You could also try

Code: Select all

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^login\.php$ /login [R=301,L]

RewriteRule ^login$ /login.php [QSA,L]

[danp84]

I have solved this problem.

I had a redirect on the process.php page that was setting the header to https://secure.domain.com/login.php instead of just the friendly https://secure.domain.com/login. I'm not sure why the warning was popping up as a result, but after I redirected to the friendly URL, no warning came up. I can;t imagine how this would try to access an unsecure connection.

The problem is solved, but maybe you'd like to opine on why the warning came up as a result of php header command (for the sake of closure on this item). If not, thats ok.

Thanks for all your help richardk.

[richardk]

The only thing i can think of is that this rule

Code: Select all

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^login\.php$ /login [R=301,L]

didn't preserve the HTTPS (but it should). You might want to use

Code: Select all

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^login\.php$ https://%{HTTP_HOST}/login [R=301,L]