Forum OpenACS Q&A: subsite security

Collapse
Posted by Roger Williams on
Is it possible to force access to certain subsites as https/SSL? I do not want all access to my site to be https, only certain subsites.

TIA.

Regards..

Collapse
2: Re: subsite security (response to 1)
Posted by Jade Rubick on
Perhaps you could use a .vuh file?
Collapse
3: Re: subsite security (response to 1)
Posted by Randy O'Meara on
Roger,

There is an acs-subsite parameter called RestrictToSSL and it is described as:

    URLs we want restricted to SSL. Note that this only
    takes effect if you have an SSL listener configured
    on your AOLserver and kernel parameter
    RegisterRestrictToSSLFilters is set to 1 (its default).
You can set in the Site Map (click set parameters). Give it a try.
Collapse
Posted by Roger Williams on
Thanks Jade and Randy:

I saw that RestrictToSSL thingy sometime ago but (like so many parameters) I never tried it. I will give it a shot and post the answers here.

Also, I still do not understand how .vuh files work 😟

Regards..

Collapse
5: Re: subsite security (response to 1)
Posted by Jade Rubick on
I would go with Randy's suggestion.

.vuh files are cool, but probably not helpful in this case.

Eventually, someone will write some documentation on .vuh files. They're just filters on a directory, kind of.

You can look at http://rubick.com/openacs and my Virtual Hosting document for an example.

Collapse
6: Re: subsite security (response to 1)
Posted by Dirk Gomez on
How does RestrictToSSL  work? Do we set a different cookie for a HTTPSed subsite and require a new login? Is the login page protected by SSL by default if RestrictToSSL is set to true somewhere in the sitemap?
Collapse
7: Re: subsite security (response to 1)
Posted by Tom Ayles on
RestrictToSSL seems to work pretty much as you suggest. If part of the site map is restricted to SSL, then authentication is based on the ad_user_login_secure cookie as opposed to ad_user_login.

If you try to access this area of the site and ad_user_login_secure is not already set in your browser (regardless of whether ad_user_login exists), then you are required to log in again, only this time using a secure connection. After this, the appropriate cookie is set, and you can wander around SSL restricted parts of the site to your heart's content.

However, if SSL is enabled, the login for non-restricted areas still occurs over regular HTTP, with the same password as for HTTPS logins, so if your password gets sniffed when your logging in via HTTP, an attacker could use that to log in via HTTPS and access secure parts of the site. I think it may be possible to force ALL logins to occur over HTTPS, closing this problem, but I'm not sure how :)

Collapse
8: Re: subsite security (response to 1)
Posted by Lars Pind on
Tom,

We've recently added a paramter for this in acs-kernel, RestrictLoginToSSLP.

Last week, I even changed the default value for this to 1, but didn't realize that there was a bug in our code that caused it to try to redirect logins to SSL even if SSL was not installed. That's fixed now.

/Lars