HTTPS and the sessions system
If a user switches to HTTPS after logging into the system via HTTP, the user
must obtain a secure token. To insure security, the only way to
@@ -20,21 +21,21 @@
issues a secure token, the method of authentication must be as strong as the
method of transmission.
If a developer truly does not want such a level of protection, this system
can be disabled via source code modification only. This can be accomplished
-by commenting out the following lines in the sec_handler
-procedure defined in security-procs.tcl
:
+by commenting out the following lines in the sec_handler
+procedure defined in security-procs.tcl:
if { [ad_secure_conn_p] && ![ad_login_page] } {
- set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
+ set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
# token is incorrect or nonexistent, so we force relogin.
- ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
+ ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
}
}
The source code must also be edited if the user login pages have been
moved out of an OpenACS system. This information is contained by the
-ad_login_page
procedure in security-procs.tcl
:
+ad_login_page procedure in security-procs.tcl:
ad_proc -private ad_login_page {} {
@@ -43,7 +44,7 @@
} {
set url [ad_conn url]
- if { [string match "*register/*" $url] || [string match "/index*" $url] } {
+ if { [string match "*register/*" $url] || [string match "/index*" $url] } {
return 1
}
@@ -53,5 +54,5 @@
The set of string match expressions in the procedure above should be extended
appropriately for other registration pages. This procedure does not use
-ad_parameter
or regular expressions for performance reasons, as
+ad_parameter or regular expressions for performance reasons, as
it is called by the request processor.
($Id$)