OpenACS 4 Security Notes
by Richard Li
The security system was designed for security. Thus, decisions requiring
trade-offs between ease-of-use and security tend to result in a system that
may not be as easy to use but is more secure.
HTTPS and the sessions system
If a user switches to HTTPS after logging into the system via HTTP, the user
must obtain a secure token. To insure security, the only way to
obtain a secure token in the security system is to authenticate yourself via
password over an HTTPS connection. Thus, users may need to log on again to a
system when switching from HTTP to HTTPS. Note that logging on to a system
via HTTPS gives the user both insecure and secure authentication tokens, so
switching from HTTPS to HTTP does not require reauthentication.
This method of authentication is important in order to establish, in as
strong a manner as possible, the identity of the owner of the secure token.
In order for the security system to offer stronger guarantees of someone who
issues a secure token, the method of authentication must be as strong as the
method of transmission.
If a developer truly does not want such a level of protection, this system
can be disabled via source code modification only. This can be accomplished
by commenting out the following lines in the sec_handler
procedure defined in security-procs.tcl:
if { [ad_secure_conn_p] && ![ad_login_page] } {
set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
# token is incorrect or nonexistent, so we force relogin.
ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
}
}
The source code must also be edited if the user login pages have been
moved out of an OpenACS system. This information is contained by the
ad_login_page procedure in security-procs.tcl:
ad_proc -private ad_login_page {} {
Returns 1 if the page is used for logging in, 0 otherwise.
} {
set url [ad_conn url]
if { [string match "*register/*" $url] || [string match "/index*" $url] } {
return 1
}
return 0
}
The set of string match expressions in the procedure above should be extended
appropriately for other registration pages. This procedure does not use
ad_parameter or regular expressions for performance reasons, as
it is called by the request processor.
($Id: security-notes.xml,v 1.1.1.2 2002/08/11 00:42:49 rmello Exp $)