Forum OpenACS Q&A: SSL login problems?

Posted by C. R. Oldham on

I'm having some trouble with SSL logins and I was wondering if anyone
had experienced anything like this in the beta of the toolkit.  IE
6.0 seems to work OK. Mozilla 1.0RC1 will let you login via SSL, but
when you visit pages that require logins but are not ssl, OACS
redirects you to a login page.  I'm also seeing wierdness if I run
the server on non-standard ports (http:8000 https:8443).  I can't
make heads or tails of the cookie handling code.  Is whether a cookie
gets set/sent on a client affected by the port number the server is
running on?  Mozilla 1.0RC1 shows the port number if you look in the
cookie list.  If a cookie is set in http, does it get returned for a
connection to the same server under https?

Another weird experience is sometimes if I hit the site main page
under SSL, none of the images show up.  Looking in the access log a
redirect to a login page is being generated for each image.  This one
is intermittent, and is driving me crazy.

I'd like to track these down because they are affecting our rollout
plans bigtime...suggestions appreciated.

Posted by Cynthia Kiser on
What code is serving the images? I ran into something like what you describe a long time ago when I hacked the file-storage module to be a crude content repository - neglecting to look at the filter that pulled the image files out of the db. Creating a custom filter with no user_id checking cured my problem. In modern OACS, you probably need to check the public read permissions on your content repository.
Posted by C. R. Oldham on
It's just the standard URL serving part of the request processor.  The images are in the filesystem along with the rest of the .adp/.tcl files.  They are in the /graphics directory, but that dir is not protected to require a login or anything.
Posted by Walter Smith on
I'm running 3.2.5, but I experienced something similar to the last problem you mention, that requests to images were creating redirects to login.

I ended up creating a more elaborate system for breaking out of secured pages and fine tuning what gets passed through SSL. To get consistent behavior I created a couple procs to check lists of directories and file extensions to either ignore or include while going into or breaking out of secured pages. Since then things have run very well, although I haven't done load testing and I'm not sure how much overhead my approach is adding.

Let me know if the code is of interest and I can post it or email it.

Posted by Richard Hamilton on
Check out this thread.

Regards Richard