Forum OpenACS Q&A: Re: SSL pages forcing log in -- why?

Posted by James Thornton on
It appears that the sec_handler proc is forcing the user to log in before accessing an SSL page. Why was it designed to do this?

Here's an excerpt from the sec_handler documentation:

# If it's a secure page and not a login page, we check
# secure token (can't check login page because they aren't
# issued their secure tokens until after they pass through)
# It is important to note that the entire secure login
# system depends on these two functions
if { [ad_secure_conn_p] && ![ad_login_page] } {

# ns_log notice "OACS= sec_handler:secure but not login page"

if { [catch { set sec_token [split [ad_get_signed_cookie "ad_secure_token"] {,}] } errmsg] } {
    # token is incorrect or nonexistent, so we force relogin.

    # 2002-08-01
    # but wait--does user have an ad_user_login_secure cookie?
    # If so, just generate a secure token because he
    # can't have that cookie unless he had logged in securely
    # at some time in the past.
    # So just call sec_setup_session to generate a new token.
    # Otherwise, force a trip to /register
    if { [catch {
	set new_user_id [lindex [split [ad_get_signed_cookie "ad_user_login_secure"] {,}] 0] }] } {
#		     ns_log notice "OACS= sec_handler:token invalid $errmsg"

	 ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
	 return filter_break
     } else {
	 sec_setup_session $new_user_id
} else {
    # need to check only one of the user_id and session_id
    # if the cookie had been tampered.
#		ns_log notice "OACS= sec_handler:token ok, $sec_token $session_id"
    if { ![string match [lindex $sec_token 0] $session_id] } {
	ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
	return filter_break