Forum OpenACS Development: cookieless login, or disable RestrictEntireServerToRegisteredUsersP for a particular page

Collapse
1: cookieless login, or disable RestrictEntireServerToRegisteredUsersP for a particular page
Posted by Koen Breugelmans on 12/11/07 02:52 AM
Hello,

is there a way to switch from a cookie-based session to a cookieless session and vice versa, mid-session?

i'm having this problem with an embedded Quicktime player in one page, playing a movie that is returned by another page (on-demand).

the QT plugin apparently doesn't access and use the session cookies when requesting the movie from another page, and is kicked out of the session. as a result, it can't access the movie-serving page (but is redirected to the login-page instead)...

as a possible work-around, I was thinking about switching to a cookieless session for those requests, and passing the required session-data in-URL (which the QT plugin should leave unaltered).

can anybody help me on my way here?

another (temporary) workaround could be making an exception to RestrictEntireServerToRegisteredUsersP true for the movie-serving page (opening access to that page to anyone)

I've tried with an [ad_register_filter] but I'm unsure as to where in my package this command should be located (tcl/package-init.tcl ?) and what priority is needed to override the request-processor.

many thanks!

kind regards,
  koen.

Collapse
2: Re: cookieless login, or disable RestrictEntireServerToRegisteredUsersP for a particular page (response to 1)
Posted by Tom Jackson on 12/11/07 05:59 AM
The behavior you describe is not related to sessions really, but more to how your embedded movie player works. HTTP requests don't get kicked out of a session. Maybe the cookie/session information is not shared with your movie player, which might be a very good thing.

First question is if you care who can get the movie. If not, you can use a url which will not require login.

Otherwise, you need to rewrite the url to include a session cookie and then rewrite the request back to the actual url.

Generally it is better to avoid writing pages which require this type of handling.

Not sure exactly how you restrict-entire-site-to-registered-users, but whatever kludge gets around this so that users can register will work in your situation.

Collapse
3: Re: cookieless login, or disable RestrictEntireServerToRegisteredUsersP for a particular page (response to 2)
Posted by Koen Breugelmans on 01/02/08 03:33 AM
Thanks Tom, this clarifies some things.

Passing the session-cookie in-URL seemed the way to go as I need the movies protected, and the player itself doesn't seem to play nice with cookies.

RestrictEntireServerToRegisteredUsersP (description "Do we want to allow only registered users to visit this subsite?", package acs-subsite) is a parameter, but after a grep through the OpenACS code this apparently isn't used anywhere.

But I also found RegisterRestrictEntireServerToRegisteredUsersFilters (description "Register filters at startup that will allow each subsite to be restricted to registered users.", package acs-kernel) that enables registration of filters (in
packages/acs-tcl/tcl/admin-init.tcl, and the filter proc ad_restrict_entire_server_to_registered_users in packages/acs-tcl/tcl/security-procs.tcl).

This is enabled at my site to prevent visitors from accessing applications pages that don't require a registered user being logged in yet. Of course I need to look at this, but in the meanwhile the above filter does its job for an internal server...

The idea was then to make an exception to above filters (for the page that serves the movies) to allow for a temporary workaround for the player issues.

Anyway, I got things to work now, so thanks for the help!

greetz,
koen.