• last updated 28 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
add procdic for private function

Cookie security reform:

- fix handling of persistent logins while addressing problems of last commits

- increase usage of try/throw to be able to distinguish exceptions

- fix handling of LoginTimeout 0 in cryptographic expiration

- use [ad_conn behind_secure_proxy_p] on more occasions, where

security::secure_conn_p is used (maybe fold these together in the future)

- new private proc security::log to ease debugging of cookie management

- further improved documentation

- fix serveral documentation bugs (align decumentation with implementation)

- use "throw" as well for invalid cookies (in addition to non-existent cookies)

add session_id invalidation

treat behind_secure_proxy_p like security::secure_conn_p for useing secure cookies in general and for the secure login cookie

use secure token when running behind a secure proxy the same way as when running directly a secure session

Don't trust value of login_level just on basis of the session cookie

modernize exception handling: use proper try/throw instead of swallowing "catch"

call sec_login_handler instead of just sec_generate_session_id_cookie, since otherwise, cryptographically valid session cookie could be used without a ad_login_cookie

improve spelling

  1. … 15 more files in changeset.
make handling of session_ids more robust (necessary for user-switching feature)

fix typo

  1. … 1 more file in changeset.
factor out validation of provided host header.

report only onece, that host header is invalid

  1. … 2 more files in changeset.
Fix typo in proc doc

Fix typos in proc doc

improve comments

  1. … 10 more files in changeset.
fix for redirect-to-secure, when SuppressHttpPort is set

This changes as well:

- improve symmetry security::get_insecure_location and security::get_secure_location

- add regression test to cover basic cases

- bumb version number of acs-tcl to 5.10.0d19

  1. … 2 more files in changeset.
bug fix: Do not return a location with a port, when SuppressHttpPort is set

for details, see: https://openacs.org/forums/message-view?message_id=5399931

improve spelling

  1. … 2 more files in changeset.
Fix proc and contract doc elements, so they are properly parsed by apidoc::api_*_documentation.

- @parameter -> @param

- @params -> @param

- Add missing @param

- @cvs -> @cvs-id

- @version -> @cvs-id

  1. … 12 more files in changeset.
reduce verbosity

switch back to previous code based on sec_generate_session_id_cookie to fix persistent logins

make code more robust, when connection is already closed

Wording

Re-enabling sec_change_user_auth_token as a mean to invalidate login for a user immediately on every connected client

For reference, see discussions in:

- https://openacs.org/forums/message-view?message_id=1691183

- https://openacs.org/forums/message-view?message_id=5392475

flag current request as being performed via aa_testing

modernize tcl

  1. … 1 more file in changeset.
white space changes

allow access via automated testing also via standard login interface

make spelling of names more consistent

  1. … 5 more files in changeset.