Forum OpenACS Development: Response to Login/Security tokens without cookies

Posted by Patrick McNeill on
In ACS4-based systems, aside from modifying the hard-coded links, this is fairly easy to do.  The concept is that you copy the ad_token_id cookie into the front of the URL (index 0 of ns_conn urlv).  ad_conn is modified to strip off the session information when ad_conn url is called (vs just passing it through to ns_conn).  A new function is needed to create the URL string -- it needs to be signed in some way -- I used SHA1 hashing.

We have the basics now, so we modify the request processor and security system to redirect users without the URL session information to a URL with session information.  The cookie-reading functions are modified to read the URL session information when the ad_token_id doesn't exist.  That's about it (IIRC) for a basic functional system.

Now for the trickier part -- making it work nicely.  First, you can't detect whether a user does or does not have cookie support until the second page load so the first page visited always has to have the session information in the URL.  However, after that first page, the session information should be omitted for users that support cookies.  This can be done with another redirect in the security system.  The downside is that this method requires something that can be recognized by ad_conn, so it can decide if the urlv0 needs to be stripped.  I would simply prepend some random combination of letters that isn't likely to be used at the front of a URL.  It's also wise to make this a package parameter.  The other way to make this work nicely is to maintain the session information even when the user finds an absolute link.  This is done by reading session information from the referrer header when its not present in the URL or cookie.

I'm planning on redoing this system for ACS Java when I get some time, and possibly writing an ASJ article about it.