Forum OpenACS Q&A: Different image and css path with SSL?

Collapse
1: Different image and css path with SSL?
Posted by James Harris on 08/06/02 06:18 AM

I have been playing around with the Postgres version of OpenACS 4.6 and noticed something a little strange.

When I first get redirected to a secure page for a login in the ecommerce module (using the old template system) it seems to break all the image and css links in my pages.

As soon as I have logged in, the paths appear to work correctly and all images and css files are displayed correctly.

Any ideas about what could be happening or where to start looking? The effects seem to be a little unpredictable and once logged in and logged back out again the images and css still seem to work.

http://db.tokencoach.com and http://db.tokencoach.com.

Collapse
2: Response to Different image and css path with SSL? (response to 1)
Posted by James Harris on 08/06/02 06:21 AM
Typo - the second one links to the secure page.
Collapse
3: Response to Different image and css path with SSL? (response to 1)
Posted by Torben Brosten on 08/06/02 08:40 AM
Hi James Harris, It seems that this is a permissions issue. When trying to view an image directly from the https://db.todencoach.com/ page, for example https://db.todencoach.com/images/grey_background.gif , the browser is redirected to a login page.

Torben

Collapse
4: Response to Different image and css path with SSL? (response to 1)
Posted by James Harris on 08/06/02 08:54 AM
You're right Torben - you can request the image in http without being prompted for authentication, but not https.

Now I just have to figure out how to fix this!

Collapse
5: Response to Different image and css path with SSL? (response to 1)
Posted by Torben Brosten on 08/06/02 09:55 AM
James, Sorry I can't help you with that (yet)... Here's a forum thread from May 2002 that may be useful... https://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0004gR
Collapse
6: Response to Different image and css path with SSL? (response to 1)
Posted by C. R. Oldham on 08/07/02 05:11 PM

James,

I think I fixed this problem partially (it was a bug) and the discussion is here.

I generated a patch and Don said he would apply it, but I'm assuming he will apply it to the 4.6/development branch, not the 4.5 final branch. So if you need a copy it is in SDM here.

Probably, however, the best "fix" for your problem is to add URLs to ad_login_page in packages/acs-tcl/tcl/security-procs.tcl so files from your graphics and css directories will get served via https without redirecting to a login.

Collapse
7: Response to Different image and css path with SSL? (response to 1)
Posted by James Harris on 08/28/02 05:50 AM
I added /css/* and /images/* to the ad_login_page function and it works properly now.

Thanks for your help.

Collapse
8: Re: Response to Different image and css path with SSL? (response to 7)
Posted by James Harris on 07/31/03 08:18 AM
I've just done an install of 4.6.3 and it seems this is still a problem when displaying SSL pages.  Has anyone else had problems with this (and found a workaround other than hacking security-procs.tcl)?
Collapse
9: Re: Different image and css path with SSL? (response to 1)
Posted by Torben Brosten on 12/08/03 02:10 PM
I've noticed a similar a problem with the images not showing with SSL for 4.6.3d (from CVS):

1. on the register page via https (when not logged in)[1], and

2. when using ecommerce with 4.6.3, when at a shopping basket page (https) and then choosing one of the links generated by @context_bar@.

For case 2, from what I understand of ad_context_bar, *all* links in the context bar list are adapted to http or https depending on the connection type for the current page. The problem is that security configuration does not permit pages or content normally accessible via http to be viewed via https[2].

I can't find anything on modifying ad_context_bar to correct this, but I think a regsub -all changing https to http should do it; this hopefully will allow the system to redirect to https if required.

Has the context_bar been upated for 5.0 to adapt (or is this a non-issue for 5.0)?

Is there a function that lets a page process know whether it is accessed via https or http? ad_port?

1. https://servername:8443/register/?return%5furl=%2f
2. https://openacs.org/forums/message-view?message_id=33419

Collapse
10: Re: Different image and css path with SSL? (response to 1)
Posted by Torben Brosten on 12/08/03 02:27 PM
Hmm.. don't want to regsub the [administer] link to /ecommerce/admin as that doesn't seem to redirect even when RestrictToSSL has ecommerce/admin/* in it... maybe there needs to be a different separater in the field (besides space?). something to sleep on anyway.... goodnight.
Collapse
11: Re: Different image and css path with SSL? (response to 10)
Posted by C. R. Oldham on 12/08/03 05:17 PM
Torben,

If you look back a little in this thread I discuss how you might achieve this by patching ad_login_page so it thinks some of those directories are part of the "login" page, so you can serve the content over https without logging in.

One danger of serving mixed http/https content is that the user will get a warning box that says basically that "some of the content on this page is not being served by https.  Do you want to show this content?"  This can scare non-technical users.

Collapse
12: Re: Different image and css path with SSL? (response to 1)
Posted by Torben Brosten on 12/09/03 12:19 AM

C.R.Oldham, that sdm link doesn't work, and your patch seems to still exist in the system, are you refering to "adding /css/* and /images/* to the ad_login_page function"?

"One danger of serving mixed http/https content is that the user will get a warning box that says basically that some of the content on this page is not being served by https."

You are right, C.R.Oldham. The fix needs to deliver content according to the page request connection type (http/https).

Since the images are called via templating, I might try to use ad_secure_conn_p to modify the image links using absolute url references. It seems the main problem is the https://servername/register and https://servername/ecommerce/register pages. (I'm getting confused. after logging in via https://server/ecommerce/register I'm being asked to register via https://server/register. Time to step back for a few minutes and re-think again.

Regarding the other point, wouldn't it be ideal if an alternate to ad_context_bar existed that created links biased to http to direct traffic to http connects, for example, when most content on a website is available via http?

Collapse
13: Re: Different image and css path with SSL? (response to 1)
Posted by C. R. Oldham on 12/09/03 12:26 AM
are you refering to "adding /css/* and /images/* to the ad_login_page function"?

Yes.

Collapse
14: Re: Different image and css path with SSL? (response to 1)
Posted by Torben Brosten on 12/09/03 11:46 AM
Thanks, CRO. I'm using /*.jpg and /*.css unless you think that is even less secure.

regarding my other question:

ec_insecure_context_bar_ws_and_index is an alternate to ad_context_bar that converts relative https links to http. Unfortunately it is not working for this install, apparently  something in ec_insecurelink is not choosing to convert to the http version. Since this is working, will leave it to a rainy day to fix.