Is there a nice way to do this?


On our website we have a secure area. When you login you are prompted for a digital certificate. In my Apache config file I have a rule that asks for a certificate when the user goes to https://url/account/login:

<Location ~ "/login">
	SSLVerifyClient require
	SSLVerifyDepth 1
	SSLRequire %{SSL_CLIENT_S_DN_O} eq "Business Name"
	SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Administration"

The problem is that the user is prompted twice for the certificate both on the GET and POST Http requests.

I can’t remove it from the GET because I need to read the session variable set when the user accepts the certificate. This variable is then used to make sure the cert belongs to the user logging in.

The reason it comes up again on the POST is because the action for the form I am using is /account/login. Also, if the user doesn’t have a cert it goes bonkers!

Any ideas?