The security system was designed for security. Thus, decisions requiring trade-offs between ease-of-use and security tend to result in a system that may not be as easy to use but is more secure.
If a user switches to HTTPS after logging into the system via HTTP, the user must obtain a secure token. To ensure security, the only way to obtain a secure token in the security system is to authenticate yourself via password over an HTTPS connection. Thus, users may need to log on again to a system when switching from HTTP to HTTPS. Note that logging on to a system via HTTPS gives the user both insecure and secure authentication tokens, so switching from HTTPS to HTTP does not require reauthentication.
This method of authentication is important in order to establish, in as strong a manner as possible, the identity of the owner of the secure token. In order for the security system to offer stronger guarantees of someone who issues a secure token, the method of authentication must be as strong as the method of transmission.
If a developer truly does not want such a level of protection,
this system can be disabled via source code modification only. This
can be accomplished by commenting out the following lines in the
sec_handler
procedure defined
in security-procs.tcl
:
if { [ad_secure_conn_p] && ![ad_login_page] } { set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]] if { $s_token_cookie eq "" || $s_token_cookie ne [lindex [sec_get_session_info $session_id] 2]} { # token is incorrect or nonexistent, so we force relogin. ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]" } }
The source code must also be edited if the user login pages have
been moved out of an OpenACS system. This information is contained
by the ad_login_page
procedure
in security-procs.tcl
:
ad_proc -private ad_login_page {} { Returns 1 if the page is used for logging in, 0 otherwise. } { set url [ad_conn url] if { [string match "*register/*" $url] || [string match "/index*" $url] } { return 1 } return 0 }
The set of string match expressions in the procedure above
should be extended appropriately for other registration pages. This
procedure does not use ad_parameter
or regular expressions for
performance reasons, as it is called by the request processor.