Index: openacs-4/packages/acs-core-docs/www/security-notes.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/security-notes.html,v diff -u -r1.45.2.1 -r1.45.2.2 --- openacs-4/packages/acs-core-docs/www/security-notes.html 18 Jun 2010 21:29:36 -0000 1.45.2.1 +++ openacs-4/packages/acs-core-docs/www/security-notes.html 12 Dec 2010 00:07:03 -0000 1.45.2.2 @@ -1,12 +1,17 @@ +<<<<<<< security-notes.html Security Notes
Alex logo
Prev Chapter 15. Kernel Documentation Next

Security Notes

By Richard Li

+======= + +Security Notes
Alex logo
Prev Chapter 14. Kernel Documentation Next

Security Notes

By Richard Li

+>>>>>>> 1.47 OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff.

The security system was designed for security. Thus, decisions requiring trade-offs between ease-of-use and security tend to result in a system that may not be as easy to use but is more secure. -

HTTPS and the sessions system

+

HTTPS and the sessions system

If a user switches to HTTPS after logging into the system via HTTP, the user must obtain a secure token. To insure security, the only way to @@ -21,21 +26,21 @@ issues a secure token, the method of authentication must be as strong as the method of transmission.

If a developer truly does not want such a level of protection, this system can be disabled via source code modification only. This can be accomplished -by commenting out the following lines in the sec_handler -procedure defined in security-procs.tcl:

+by commenting out the following lines in the sec_handler
+procedure defined in security-procs.tcl:
 
     if { [ad_secure_conn_p] && ![ad_login_page] } {
-        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
+        set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
         
         if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
         # token is incorrect or nonexistent, so we force relogin.
-        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
+        ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
         }
     }
 
 
The source code must also be edited if the user login pages have been
 moved out of an OpenACS system. This information is contained by the
-ad_login_page procedure in security-procs.tcl:
+ad_login_page procedure in security-procs.tcl:
 
 ad_proc -private ad_login_page {} {
     
@@ -44,7 +49,7 @@
 } {
 
     set url [ad_conn url]
-    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
+    if { [string match "*register/*" $url] || [string match "/index*" $url] } {
     return 1
     }
 
@@ -54,5 +59,10 @@
 

 The set of string match expressions in the procedure above should be extended
 appropriately for other registration pages. This procedure does not use
+<<<<<<< security-notes.html
 ad_parameter or regular expressions for performance reasons, as
 it is called by the request processor. 
($Id$)
Prev Home Next
Security Design Up Request Processor Requirements
docs@openacs.org
View comments on this page at openacs.org
+======= +ad_parameter or regular expressions for performance reasons, as +it is called by the request processor.

($Id$)
Prev Home Next
Security Design Up Request Processor Requirements
docs@openacs.org
View comments on this page at openacs.org
+>>>>>>> 1.47