Forum OpenACS Q&A: Documentations that don't make sense

Posted by Li-fan Chen on

I created this thread to point out any sections of the doc that I don't quite follow:

From www/doc/security-sessions.html (explaining the secure cookie token)

     * ad_secure_token is another TokenLength-character random string which is only
       ever transmitted over SSL (it has Secure specified in the Set-Cookie
       header). Even if someone sniffs the session identifier and grabs the
       insecure token string, they will never be able to gain access to this secure
       token string.

     > This cookie is only ever sent to a client once, so there's positively no way
     > we could make the mistake of sending it to two users (one masquerading as
     > the other). Furthermore, when the secure token is issued (typically on a
     > client's first access to the site via HTTPS) we reissue the insecure token
     > as well. This way, if Gus sniffs Mary's insecure token and proceeds to make
     > a secure access to the site (receiving her secure token), Mary's insecure
     > session will stop working, limiting Gus's ability to mess with her.

The way it is explained, I don't understand how Gus's holding of Mary's insecure session expiring limits his ability. Especially since a new insecure cookie is provided with the secure cookie (to Gus), giving him full access. I'm sure by reading the code, the rubbery english will straighten itself out--but it's still a minor jolt. Could someone expand the Gus and Mary example perhaps with snippets of code and telnet's showing what happens? Thanks! :)

Posted by Li-fan Chen on

Now I have a post regarding a little snippet of code that I don't understand:

It's regarding tcl/ad-security.tcl's ad_assign_session_id:


# Li: so we pickup the user_id and password from the user...(from [ns_conn headers])
if { [regexp {^([0-9]+),([0-9a-fA-F]+)$} [ad_get_cookie "ad_user_login"] match user_id password] } {
    # Li: here we may encrypt the password first... (Bookmark 1)
    if { [ad_parameter EncryptPasswordsInDBP "" 0] } {
        set password [ns_crypt $password [ad_crypt_salt]]

    # Li: from the server we pick up the server's notion of what the user's password is
    set selection [ns_db 0or1row $db "
    select password
    from users
    where user_id = $user_id
    and user_state = 'authorized'

    if { [empty_string_p $selection] } {
        # user_id does not exist in database, or is not in state authorized

    } else {
        # Li: from the server
        set correct_password [ns_set value $selection 0]

        # Li: Here we dehex the password provided from the user (Bookmark 2)
        set password_raw [sec_dehexify $password]
        if { ![string compare [string toupper $correct_password] [string toupper $password_raw]] } {
            set ad_sec_user_id $user_id

My question is.. regarding bookmark 1 and 2.. how can you encrypt something and dehex it right after? If the encryption procedure involves a hex procedure at the end that makes sense. But if you hex something, then encrypted, you need to decrypt it then dehex it. So maybe what we really mean is sec_hexify? Or what? I'm confused. Thanks for any clarification.

Posted by Li-fan Chen on

I won't call it an undocumented feature, but I clearly overlooked the hard to find little documentation that describes the difference between having things filled in ns_getform only and having things filled in both [ns_conn query] and ns_getform. Can someone clear this out up?

# This is from tcl/ad-security.tcl's sec_security_read_info
            set query [ns_conn query]
            if { $query != "" } {
                set query "?$query"
                if { [ns_getform] != "" } {
                    set query "$query&[export_entire_form_as_url_vars]"
            } elseif { [ns_getform] != "" } {
                set query "?[export_entire_form_as_url_vars]"

So what sort of form can we build that goes only into [ns_conn query] or only into [ns_getform]'s ns_set? And then there's the ns_conn [form format] as well. When the form data arrives are these structures or strings filled with the same name=value items? Does POST and GET differenciate what goes where? How can I tell (I could telnet and try I guess hehe but I figure someone can point me to where it's pointed out in the docs)?

Posted by Li-fan Chen on
I am reading tcl/user-group-defs.tcl's ug_file_to_source, it tried to access ad_conn($file) without global ad_conn first. Weird. Most other places do a global ad_conn before accessing the array (tcl/ad-security.tcl and tcl/ad-abstract-url.tcl). Does this need fixing?
Posted by Li-fan Chen on
I just want to mention that I can't find the logic that implements hostname/$group_type aka has_virtual_directory_p for ACS $group_types...
  • ...even though ug_serve_group_pages has code to do redirection for them
  • ...and the SQL tables has fields that hold has_virtual_directory_p toggles in user-group-defs.tcl.

Threw me off until I realize maybe that admin and users pages that answers to the sql definitions surrounding has_virtual_directory_p is not implemented yet. I have only begun to login as system/changeme to find out what's going on and from there I see no options for has_virtual_directory_p either, guess if I used it earlier I would have a clue hehe.