OpenACS 4 Security Notes

by Richard Li

The security system was designed for security. Thus, decisions requiring trade-offs between ease-of-use and security tend to result in a system that may not be as easy to use but is more secure.

HTTPS and the sessions system

If a user switches to HTTPS after logging into the system via HTTP, the user must obtain a secure token. To insure security, the only way to obtain a secure token in the security system is to authenticate yourself via password over an HTTPS connection. Thus, users may need to log on again to a system when switching from HTTP to HTTPS. Note that logging on to a system via HTTPS gives the user both insecure and secure authentication tokens, so switching from HTTPS to HTTP does not require reauthentication.

This method of authentication is important in order to establish, in as strong a manner as possible, the identity of the owner of the secure token. In order for the security system to offer stronger guarantees of someone who issues a secure token, the method of authentication must be as strong as the method of transmission.

If a developer truly does not want such a level of protection, this system can be disabled via source code modification only. This can be accomplished by commenting out the following lines in the sec_handler procedure defined in security-procs.tcl:


    if { [ad_secure_conn_p] && ![ad_login_page] } {
        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
        
        if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
        # token is incorrect or nonexistent, so we force relogin.
        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
        }
    }

The source code must also be edited if the user login pages have been moved out of an OpenACS system. This information is contained by the ad_login_page procedure in security-procs.tcl:


ad_proc -private ad_login_page {} {
    
    Returns 1 if the page is used for logging in, 0 otherwise. 

} {

    set url [ad_conn url]
    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
    return 1
    }

    return 0
}

The set of string match expressions in the procedure above should be extended appropriately for other registration pages. This procedure does not use ad_parameter or regular expressions for performance reasons, as it is called by the request processor.

($Id: security-notes.html,v 1.1 2002/07/09 17:34:57 rmello Exp $)