14. ACS 4 Security Notes

Table of Contents

14.1. HTTPS and the sessions system

+ + + + +OpenACS 4 Security Notes + + + + + + + + +

+ + + +

+Prev�	Chapter 7. Kernel Documentation	�Next +

+OpenACS 4 Security Notes

by Richard Li -

The security system was designed for security. Thus, decisions requiring trade-offs between ease-of-use and security tend to result in a system that may not be as easy to use but is more secure. -

14.1. HTTPS and the sessions system

+HTTPS and the sessions system

If a user switches to HTTPS after logging into the system via HTTP, the user -must obtain a secure token. To insure security, the only way to +must obtain a secure token. To insure security, the only way to obtain a secure token in the security system is to authenticate yourself via password over an HTTPS connection. Thus, users may need to log on again to a system when switching from HTTP to HTTPS. Note that logging on to a system via HTTPS gives the user both insecure and secure authentication tokens, so switching from HTTPS to HTTP does not require reauthentication. -

This method of authentication is important in order to establish, in as +

This method of authentication is important in order to establish, in as strong a manner as possible, the identity of the owner of the secure token. In order for the security system to offer stronger guarantees of someone who issues a secure token, the method of authentication must be as strong as the -method of transmission.

If a developer truly does not want such a level of protection, this system +method of transmission.

If a developer truly does not want such a level of protection, this system can be disabled via source code modification only. This can be accomplished by commenting out the following lines in the sec_handler -procedure defined in security-procs.tcl:

+procedure defined in security-procs.tcl:
+ 
     if { [ad_secure_conn_p] && ![ad_login_page] } {
-        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
+        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
         
         if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
         # token is incorrect or nonexistent, so we force relogin.
-        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
+        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
         }
     }
 
-

The source code must also be edited if the user login pages have been -moved out of an ACS system. This information is contained by the -ad_login_page procedure in security-procs.tcl:

+
+
The source code must also be edited if the user login pages have been +moved out of an OpenACS system. This information is contained by the +ad_login_page procedure in security-procs.tcl:
+
 
 ad_proc -private ad_login_page {} {
     
@@ -43,15 +78,45 @@
 } {
 
     set url [ad_conn url]
-    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
+    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
     return 1
     }
 
     return 0
 }
 
-

+ +

The set of string match expressions in the procedure above should be extended appropriately for other registration pages. This procedure does not use ad_parameter or regular expressions for performance reasons, as -it is called by the request processor.

($Id$)

acs-docs@arsdigita.com

+it is called by the request processor.

($Id$)

+Prev�	Home	�Next +
OpenACS 4 Security Design�	Up	�OpenACS 4 Request Processor Requirements