Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m using .htaccess to protect a website at http://www.domain.com. Secure pages redirect to https://www.domain.com, and get the apache login prompt again.
How can we have only 1 apache login prompt for both http and https?
Thank you very much.
You can’t. As far as the browser is concerned, http: and https: are two different websites, and you won’t get it to tell the https: site which password the user entered for the http: site. Doing so would be a serious security bug in general, and the HTTP authentication protocol is not advanced enough to allow the http: server to tell the browser, “it is OK to repeat this password for such-and-such site”. (And why would you trust a security exception given to you by a mere http: site anyway?)
Why don’t you just do everything over https?
Or, put differently, why do you do anything that requires authentication over plain HTTP? That’s not very secure. And if you have something on the https site that deserves https security, an attacker could just sniff the passwords from the insecure http connections.