Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-18120

Unable to use HTTPS for login only

    XMLWordPrintable

    Details

      Description

      If you setup the urlrewrite.xml like so:

      <?xml version="1.0" encoding="utf-8"?>
      <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 2.6//EN" "http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
      <urlrewrite>
          <!-- For image references in CSS files --> 
          <rule>
            <from>^/s/(.*)/_/download/images/([^\?]*).*</from>
             <run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" />
             <to type="forward">/images/$2</to>
         </rule>
          <rule>
      	<from>^/s/(.*)/_/([^\?]*).*</from>
              <run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" />
              <to type="forward">/$2</to>
          </rule>
      	
      <rule>
          <from>^/login.action</from>
          <condition type="scheme" operator="notequal">https</condition>
          <to type="redirect">https://localhost:8443/login.action</to>
          </rule>
       
          <rule>
          <from>^/dologin.action</from>
          <condition type="scheme" operator="notequal">https</condition>
          <to type="redirect">https://localhost:8443/dologin.action</to>
          </rule>
      
          <rule>
          <from>^/(.*)</from>
          <condition type="scheme" operator="equal">https</condition>
          <condition type="request-uri" operator="notequal">/login.action.*</condition>
          <condition type="request-uri" operator="notequal">/dologin.action.*</condition>	
          <condition type="request-uri" operator="notequal">/s/.*</condition>
          <to type="redirect">http://localhost:8080/$1</to>
          </rule>
      </urlrewrite>
      

      You are continually redirected to the login page.

      It appears when redirecting https://localhost:8443/homepage.action to http://localhost:8080/homepage.action the session is invalidated.

      Atlassian Status

      All,

      We have discussed the use of "HTTPS for login only" in a lot of detail. After looking at the various options, we have concluded that we will not be supporting this configuration in Confluence.

      Although this configuration used to work in the past, in Confluence 3.0.2 we implemented a security improvement that helped prevent session fixation attacks (CONF-15108). The implications of this security feature meant that customers could no longer use HTTPS for login only. We did look at enabling this configuration again and concluded that we won't be doing so. There are several reasons for this. Many of these reasons have already been discussed in this post and the related issue (CONF-4116).

      The main customer feedback we have received on this issue primarily revolves around the use case of customers who wish to protect their LDAP credentials, but aren't as concerned about session hijacking. Unfortunately, this is a misconception of the security provided by using HTTPS for login only. If the "remember me" functionality is used - it is possible that anyone can intercept network traffic (after login) and can decrypt the users credentials. This is due to the way that the "remember me" functionality works.

      It is due to this and all the additional reasons around the support of HTTPS for login only that we will not be implementing this feature.

      We will continue work with you in making sure that the configuration you have setup is as secure as possible. Please don't hesitate to contact our support team for assistance in this matter.

      Sherif
      Confluence Product Manager

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ssaasen Stefan Saasen
              Reporter:
              bnguyen Brian Nguyen
              Participants:
              Last Touched By:
              Katherine Yabut
              Votes:
              4 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Last commented:
                9 years, 14 weeks, 6 days ago