security-notes.xml

Delivered as text/xml

[ hide source ] | [ make this the default ]

File Contents

<?xml version='1.0' ?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
               "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!ENTITY % myvars SYSTEM "../variables.ent">
%myvars;
]>
<sect1 id="security-notes" xreflabel="OpenACS 4 Security Notes">
<title>Security Notes</title>


<authorblurb>
<para>By Richard Li</para>
</authorblurb>

<para>
The security system was designed for security. Thus, decisions requiring
trade-offs between ease-of-use and security tend to result in a system that
may not be as easy to use but is more secure. 
</para>



<sect2 id="security-notes-https-sessions">
<title>HTTPS and the sessions system</title>
<para>

If a user switches to HTTPS after logging into the system via HTTP, the user
must obtain a secure token. To ensure security, the <emphasis>only way</emphasis> to
obtain a secure token in the security system is to authenticate yourself via
password over an HTTPS connection. Thus, users may need to log on again to a
system when switching from HTTP to HTTPS. Note that logging on to a system
via HTTPS gives the user both insecure and secure authentication tokens, so
switching from HTTPS to HTTP does not require reauthentication. 
</para>

<para>This method of authentication is important in order to establish, in as
strong a manner as possible, the identity of the owner of the secure token.
In order for the security system to offer stronger guarantees of someone who
issues a secure token, the method of authentication must be as strong as the
method of transmission.</para>

<para>If a developer truly does not want such a level of protection, this system
can be disabled via source code modification only. This can be accomplished
by commenting out the following lines in the <computeroutput>sec_handler</computeroutput>
procedure defined in <computeroutput>security-procs.tcl</computeroutput>:</para>

 

<programlisting>

    if { [ad_secure_conn_p] &amp;&amp; ![ad_login_page] } {
        set s_token_cookie [ns_urldecode [ad_get_cookie &quot;ad_secure_token&quot;]]
        
        if { $s_token_cookie eq "" || $s_token_cookie ne [lindex [sec_get_session_info $session_id] 2]} {
        # token is incorrect or nonexistent, so we force relogin.
        ad_returnredirect &quot;/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]&quot;
        }
    }

</programlisting>


<para>The source code must also be edited if the user login pages have been
moved out of an OpenACS system. This information is contained by the
<computeroutput>ad_login_page</computeroutput> procedure in <computeroutput>security-procs.tcl</computeroutput>:</para>

 

<programlisting>

ad_proc -private ad_login_page {} {
    
    Returns 1 if the page is used for logging in, 0 otherwise. 

} {

    set url [ad_conn url]
    if { [string match &quot;*register/*&quot; $url] || [string match &quot;/index*&quot; $url] } {
    return 1
    }

    return 0
}

</programlisting>

<para>
The set of string match expressions in the procedure above should be extended
appropriately for other registration pages. This procedure does not use
<computeroutput>ad_parameter</computeroutput> or regular expressions for performance reasons, as
it is called by the request processor. </para>



<para><phrase role="cvstag">($Id: security-notes.xml,v 1.7.4.1 2021/09/02 16:56:03 gustafn Exp $)</phrase></para>
</sect2>
</sect1>