• last updated 13 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Proc "util_get_subset_missing": make sure to return the found elements.

Added test case for this proc.

Make 'util_user_message' quote the message when the parameter 'html_p' is false, not otherwise, restoring pre-refactoring behavior and making it coherent with the parameter doc

Simplify code and exploit parameter contract (we know flags are boolean)

Put some sanity in ancient proc docs with 'pre' tags that were breaking api-doc

Whitespace changes

Fix typo in proc doc

Whitespace changes

Fix typo in proc doc

Whitespace changes

Remove duplicated comments

Whitespace changes

Add missing parameter to include doc

Use ad_include_contract on this page

Replace custom arg checks with proper ad_include_contract

Add some @see in deprecated procs

add procdic for private function

Cookie security reform:

- fix handling of persistent logins while addressing problems of last commits

- increase usage of try/throw to be able to distinguish exceptions

- fix handling of LoginTimeout 0 in cryptographic expiration

- use [ad_conn behind_secure_proxy_p] on more occasions, where

security::secure_conn_p is used (maybe fold these together in the future)

- new private proc security::log to ease debugging of cookie management

- further improved documentation

Wrap legacy and current ns_http api behavior in a proc with a common interface in a way that people with newer Naviserver can exploit e.g. ns_http run capabilities (in particular, not being forced to queue and potentially block concurrent HTTP requests)

- fix serveral documentation bugs (align decumentation with implementation)

- use "throw" as well for invalid cookies (in addition to non-existent cookies)

Replace removed query in xotcl implementation as well

Init cache using values from db instead than cached api (fixes install from scratch)

Reduce code duplication (passes automated tests)

Make test locale-aware

add session_id invalidation

treat behind_secure_proxy_p like security::secure_conn_p for useing secure cookies in general and for the secure login cookie

use secure token when running behind a secure proxy the same way as when running directly a secure session

Don't trust value of login_level just on basis of the session cookie

modernize exception handling: use proper try/throw instead of swallowing "catch"

call sec_login_handler instead of just sec_generate_session_id_cookie, since otherwise, cryptographically valid session cookie could be used without a ad_login_cookie

prefer https over http on request going to openacs.org

  1. … 3 more files in changeset.