HTTPS and the sessions system
If a user switches to HTTPS after logging into the system via HTTP, the user
must obtain a secure token. To insure security, the only way to
@@ -20,8 +20,8 @@
issues a secure token, the method of authentication must be as strong as the
method of transmission.
If a developer truly does not want such a level of protection, this system
can be disabled via source code modification only. This can be accomplished
-by commenting out the following lines in the sec_handler
-procedure defined in security-procs.tcl:
+by commenting out the following lines in the sec_handler
+procedure defined in security-procs.tcl
:
if { [ad_secure_conn_p] && ![ad_login_page] } {
set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
@@ -34,7 +34,7 @@
The source code must also be edited if the user login pages have been
moved out of an OpenACS system. This information is contained by the
-ad_login_page procedure in security-procs.tcl:
+ad_login_page
procedure in security-procs.tcl
:
ad_proc -private ad_login_page {} {
@@ -53,5 +53,5 @@
The set of string match expressions in the procedure above should be extended
appropriately for other registration pages. This procedure does not use
-ad_parameter or regular expressions for performance reasons, as
+ad_parameter
or regular expressions for performance reasons, as
it is called by the request processor.
($Id$)