By Richard Li
</authorblurb>The security system was designed for security. Thus, decisions requiring trade-offs between ease-of-use and security tend to result in a system that may not be as easy to use but is more secure.
If a user switches to HTTPS after logging into the system via HTTP, the user must obtain a secure token. To insure security, the only way to obtain a secure token in the security system is to authenticate yourself via password over an HTTPS connection. Thus, users may need to log on again to a system when switching from HTTP to HTTPS. Note that logging on to a system via HTTPS gives the user both insecure and secure authentication tokens, so switching from HTTPS to HTTP does not require reauthentication.
This method of authentication is important in order to establish, in as strong a manner as possible, the identity of the owner of the secure token. In order for the security system to offer stronger guarantees of someone who issues a secure token, the method of authentication must be as strong as the method of transmission.
If a developer truly does not want such a level of protection, this system
can be disabled via source code modification only. This can be accomplished
by commenting out the following lines in the sec_handler
procedure defined in security-procs.tcl
:
if { [ad_secure_conn_p] && ![ad_login_page] } { set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]] if { $s_token_cookie eq "" || $s_token_cookie ne [lindex [sec_get_session_info $session_id] 2]} { # token is incorrect or nonexistent, so we force relogin. ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]" } }
The source code must also be edited if the user login pages have been
moved out of an OpenACS system. This information is contained by the
ad_login_page
procedure in security-procs.tcl
:
ad_proc -private ad_login_page {} { Returns 1 if the page is used for logging in, 0 otherwise. } { set url [ad_conn url] if { [string match "*register/*" $url] || [string match "/index*" $url] } { return 1 } return 0 }
The set of string match expressions in the procedure above should be extended
appropriately for other registration pages. This procedure does not use
ad_parameter
or regular expressions for performance reasons, as
it is called by the request processor.
($Id: security-notes.html,v 1.50 2017/11/08 09:42:12 gustafn Exp $)