Index: openacs-4/packages/acs-core-docs/www/security-notes.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/security-notes.html,v diff -u -r1.43 -r1.44 --- openacs-4/packages/acs-core-docs/www/security-notes.html 7 Jun 2008 20:28:51 -0000 1.43 +++ openacs-4/packages/acs-core-docs/www/security-notes.html 12 Jul 2009 01:08:29 -0000 1.44 @@ -1,12 +1,12 @@ - -Security Notes
Alex logo
Prev Chapter�14.�Kernel Documentation Next

Security Notes

By Richard Li

+ +Security Notes
Alex logo
Prev Chapter 14. Kernel Documentation Next

Security Notes

By Richard Li

OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff.

The security system was designed for security. Thus, decisions requiring trade-offs between ease-of-use and security tend to result in a system that may not be as easy to use but is more secure. -

HTTPS and the sessions system

+

HTTPS and the sessions system

If a user switches to HTTPS after logging into the system via HTTP, the user must obtain a secure token. To insure security, the only way to @@ -21,21 +21,21 @@ issues a secure token, the method of authentication must be as strong as the method of transmission.

If a developer truly does not want such a level of protection, this system can be disabled via source code modification only. This can be accomplished -by commenting out the following lines in the sec_handler -procedure defined in security-procs.tcl:

+by commenting out the following lines in the sec_handler
+procedure defined in security-procs.tcl:
 
     if { [ad_secure_conn_p] && ![ad_login_page] } {
-        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
+        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
         
         if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
         # token is incorrect or nonexistent, so we force relogin.
-        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
+        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
         }
     }
 
 
The source code must also be edited if the user login pages have been
 moved out of an OpenACS system. This information is contained by the
-ad_login_page procedure in security-procs.tcl:
+ad_login_page procedure in security-procs.tcl:
 
 ad_proc -private ad_login_page {} {
     
@@ -44,7 +44,7 @@
 } {
 
     set url [ad_conn url]
-    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
+    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
     return 1
     }
 
@@ -54,5 +54,5 @@
 

 The set of string match expressions in the procedure above should be extended
 appropriately for other registration pages. This procedure does not use
-ad_parameter or regular expressions for performance reasons, as
-it is called by the request processor. 
($Id$)
Prev Home Next
Security Requirements Up Request Processor Requirements
docs@openacs.org
View comments on this page at openacs.org
+ad_parameter or regular expressions for performance reasons, as +it is called by the request processor.

($Id$)
Prev Home Next
Security Design Up Request Processor Requirements
docs@openacs.org
View comments on this page at openacs.org