I decided to try out the Persona authentication advertised when I log into people.mozilla.com. I created a file ~sfink/public_html/private/.htaccess with: AuthType Persona Require valid-user Then I tried navigating to http://people.mozilla.org/~sfink/private/ It gave me the Persona login stuff. I logged in, and it sent me into some sort of infinite reload loop. It looks like I'm sending a handful of cookies with each request, none of them appearing to be Persona cookies. There are a flurry of requests, ending with a POST to http://people.mozilla.org/~sfink/private/ . The request had these cookies: optimizelySegmeents, optimizelyEndUserId, optimizelyBuckets, _ga, __utmz, __utma. Then it reloads. If I click on the 200 status code in the network log for that POST, I see in the "Sent Cookie" section the two cookies "can_set_cookies: 1" and "browserid_state: IYV4_...". The response headers are: X-Powered-By: Express x-frame-options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=10886400; includeSubdomains Server: nginx/1.6.0 Date: Tue, 03 Jun 2014 20:15:15 GMT Content-Type: application/json; charset=utf-8 content-security-policy: default-src 'none'; script-src 'self' https://static.login.persona.org; style-src 'self' 'unsafe-inline' https://static.login.persona.org; connect-src 'self'; font-src 'self'; img-src *; frame-src *; Content-Length: 189 Connection: keep-alive Cache-Control: no-cache, max-age=0 I don't know what triggers the reload. And I have no clue what component this bug should go in.
Oh, right. And in the reload loop, the initial GET is getting back a 401. I do not see any relevant cookies getting sent with that request. Aha! It's because I'm using http instead of https. It works with https. The Persona cookie I have is for secure connections only.
Summary: Persona authentication in people.mozilla.com loops → Persona authentication in people.mozilla.com loops when using HTTP
That's why assing SSLRequireSSL On is a good idea...
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(In reply to Philippe M. Chiasson (:gozer) from comment #2) > That's why assing SSLRequireSSL On is a good idea... So then can we have the moral equivalent of <?php header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); ?> stuck into a /ssl-redirect.php (or .cgi or whatever) of the people.mozilla.org server, to improve the user experience in that case? I added ErrorDocument 403 /~sfink/403.txt to my .htaccess file, which just says "you gotta use HTTPS for that", but the redirect would be nicer. (And I can't do it myself, since I don't think the people server allows users to do any server-side scripting of any sort. Correct me if I'm wrong.)
You need to log in before you can comment on or make changes to this bug.