Forum OpenACS Q&A: SSL pages forcing log in -- why?

Collapse
1: SSL pages forcing log in -- why?
Posted by James Thornton on 11/07/03 10:15 PM
If I try to access any page via https://, OpenACS redirects to the log in page.

The RestrictToSSL param for the main site has:

acs-admin/* mortgage/admin/* mortgage/application/*

...and RegisterRestrictToSSLFilters is set to 1, but I don't see why pages other than admin pages would require log in.

What param makes OpenACS force log in for all SSL pages?

Collapse
2: Re: SSL pages forcing log in -- why? (response to 1)
Posted by James Thornton on 11/11/03 09:54 AM
It appears that the sec_handler proc is forcing the user to log in before accessing an SSL page. Why was it designed to do this?

Here's an excerpt from the sec_handler documentation: 

# If it's a secure page and not a login page, we check
# secure token (can't check login page because they aren't
# issued their secure tokens until after they pass through)
# It is important to note that the entire secure login
# system depends on these two functions
if { [ad_secure_conn_p] && ![ad_login_page] } {

# ns_log notice "OACS= sec_handler:secure but not login page"

if { [catch { set sec_token [split [ad_get_signed_cookie "ad_secure_token"] {,}] } errmsg] } {
    # token is incorrect or nonexistent, so we force relogin.

    # cro@ncacasi.org 2002-08-01
    # but wait--does user have an ad_user_login_secure cookie?
    # If so, just generate a secure token because he
    # can't have that cookie unless he had logged in securely
    # at some time in the past.
    # So just call sec_setup_session to generate a new token.
    # Otherwise, force a trip to /register
    if { [catch {
	set new_user_id [lindex [split [ad_get_signed_cookie "ad_user_login_secure"] {,}] 0] }] } {
#		     ns_log notice "OACS= sec_handler:token invalid $errmsg"

	 ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
	 return filter_break
     } else {
	 sec_setup_session $new_user_id
     }
} else {
    # need to check only one of the user_id and session_id
    # if the cookie had been tampered.
#		ns_log notice "OACS= sec_handler:token ok, $sec_token $session_id"
    if { ![string match [lindex $sec_token 0] $session_id] } {
	ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
	return filter_break
    }
}
Collapse
3: Re: SSL pages forcing log in -- why? (response to 1)
Posted by Lars Pind on 11/12/03 01:06 AM
The idea is that if you want to access a secure page (a page over SSL), then your login has to have been over SSL as well.

Otherwise, how would we know to trust the authentication?

The solution should be, that if you're having some pages be over SSL, you should make sure that login is over SSL as well.

There's an acs-kernel parameter to do this.

If this is not working as advertised here, please file a bug.

/Lars

Collapse
4: Re: SSL pages forcing log in -- why? (response to 1)
Posted by James Thornton on 11/12/03 02:07 AM
Forcing log in over SSL before accessing a page that requires authentication is one thing, but I don't think we should force log in before accessing a page that doesn't require authentication just because it's over SSL.
Collapse
5: Re: SSL pages forcing log in -- why? (response to 1)
Posted by Matthew Geddert on 11/12/03 03:16 AM
Why would you ever want to look at a page over SSL without being logged in? The whole point of SSL is to make data secure - and not being logged in makes it insecure - so what's the point?
Collapse
6: Re: SSL pages forcing log in -- why? (response to 1)
Posted by Matthew Geddert on 11/12/03 03:21 AM
i just thought of an anwswer to my own question - applications/submission of sensitive data by non-logged in users... which can then only be viewed by secured logged in users.
Collapse
7: Re: SSL pages forcing log in -- why? (response to 6)
Posted by James Thornton on 11/12/03 03:38 AM
That's the scenario I have.
Collapse
8: Re: SSL pages forcing log in -- why? (response to 1)
Posted by Lars Pind on 11/12/03 10:46 AM
File a bug report, please. Include the scenario.
Collapse
9: Re: SSL pages forcing log in -- why? (response to 8)
Posted by James Thornton on 11/12/03 05:38 PM
Done.