Forum OpenACS Q&A: How to stay in http: after i register in https:????

Hi all.

When I register a new user in https: all the links become https.

How can I limit the https navigation ONLY to /admin and /register??

I know the parameters in the main site, but they only force to register and admin in https, but not to return to http out of those pages.

Any idea??.

Thanks.

/Jorge

Collapse
Posted by C. R. Oldham on

What we did was to patch acs-subsite/www/register/index.tcl to redirect to our homepage on non-ssl. It's like a 2 line patch at the top of index.tcl:

if {![info exists return_url]} {
    # cro 2002-04-30
    # Make sure we return to the non-SSL homepage
    set return_url "[ad_url]/"
}

Unfortunately this will probably cause the user to see a dialog box that says "you are being redirected to a non-secure site" or some such. We haven't gone live with our 4.6 site yet so we haven't really decided how to handle this. You can

  1. live with it, or
  2. do some JavaScript manipulation that can avoid this. I don't know exactly what that is or how hard it will be to make it work with every browser.
    Or
  3. add another page that says "you are now registered or logged in, click here to go back to where you were" so the user does the navigation instead of the server causing a browser redirect.

Collapse
3: Double redirecting (response to 2)
Posted by Titi Ala'ilima on
The way I accomplished this was by double-redirecting, i.e. forcing all URLs (except for things which would be included/in-lined e.g. images, scripts, and style-sheets) to HTTP unless they were explicitly forced to HTTPS.  The force to HTTPS is done with a filter registered to whatever nodes you specified in the RestrictToHttps parameter, so I modified the filter to mark ad_conn if it passed without redirecting and then added a second filter registered to all URLs, with a later priority to redirect all HTTPS connections not previously marked to HTTP.  To exclude images and the like from redirection, I added a third filter for all relevant extensions (gif, jpeg, css, js, etc.) which marked ad_conn, and gave it a priority between the other two filters.  One unfortunate thing is that image loading is slower on HTTPS pages due to encryption, but you could speed that up by explicitly calling HTTP

E-mail me if you'd like to see the actual code.

Collapse
Posted by Walter Smith on
I use a combination of these two approaches.  To avoid that message that C.R. mentions, I created an interim page that performs the redirect and tells the user, "You are now logged in, and you are being directed to the page you requested."

The header section of this redirect page contains the directive to redirect the browser:

<meta http-equiv=\"refresh\" content=\"0;url=$return_url\">

Collapse
Posted by Jorge Garcia on
Hi, Titi:
1.Your code will be very welcome 😉
If you could send me the example i will be very grateful.
2.I have tried that same aproach but with only one filter.
By some strange reason some images doesn't load in https:

3. Do you know any method to restrict the whole protocol 'https' to ONLY the folders you want?
4.There exist any trick to do so or only the filters could be used?

Regards.

/Jorge

P.D. https://openacs.org/forums/message-view?message_id=15982
The same problem for oacs 3.x
There exists some lines added by Ola Hansson, but i can't make it work very fine in oacs 4.5
Maybe this strange thing with the images was another issue.

We have modified  'admin-procs.tcl' and 'admin-init.tcl' in the folder /packages/acs-tcl/tcl

-------------------
'admin-procs.tcl'
-------------------
proc_doc ad_restrict_to_https {conn args why} {
    Redirects user to HTTPS.

    @author Allen Pulsifer (mailto:pulsifer@mediaone.net)
    @creation-date 2 November 2000
} {
        if { [ad_conn driver] == "nsopenssl" } {
            return "filter_ok"
    } else {
        append secure_url "https://[ns_info hostname][ns_conn url]"
        ns_returnredirect $secure_url
        return "filter_return"
    }
}
# Proc added====>>>
proc exit_from_https {args why} {
    if { [ns_conn driver] == "nssock" } {
        return "filter_ok"
    } elseif { [string first "/admin" [ns_conn url]] != -1 || [string first "/acs-admin" [ns_conn url]] != -1 || [string first "/register" [ns_conn url]] != -1} {
        return "filter_ok"
    } else {
        append unsecure_url "http://[ns_info hostname][ns_conn url]"
        ns_returnredirect $unsecure_url
        return "filter_return"
    }
}
# end proc added

-------------------
'admin-init.tcl'
-------------------
if { [ad_ssl_available_p] } {
    set admin_ssl_filters_installed_p 1


    db_foreach path_select {
    select package_id, site_node.url(node_id) as url from apm_packages p, site_nodes n
    where p.package_id = n.object_id
    } {
    ns_log Notice "Processing RestrictToSSL for $url"
    foreach pattern [ad_parameter -package_id $package_id RestrictToSSL "acs-subsite"] {
        ad_register_filter preauth GET "$url$pattern" ad_restrict_to_https
        ns_log Notice "URLs matching \"$url$pattern\" are restricted to SSL"
    }
    }

# Line added====>>>
    ad_register_filter preauth GET /* exit_from_https
# end line added
    db_release_unused_handles
}

Collapse
Posted by Caroline Meeks on
I am having this same problem with 5.0.  This seems like soemthing we should solve once and put in the toolkit.

What is the state of this issue? Are any of these solutions perferred?

Thanks
Caroline

Collapse
Posted by Lars Pind on
If you're having this problem in 5.0, it's a bug.

There's definitely code to make the link to the login page have a return_url that includes http://... when redirecting to a https login page from a http page.

Please file this in the bug-tracker.

/Lars

Collapse
Posted by Caroline Meeks on
Thanks Lars,

It is indeed a bug..but in ecommerce!  I tracked it down and if you use auth::require_login or ad_maybe_redirect_for_registration it uses a proc ad_get_login_url that uses http in the return url.

The reason I had trouble was I was using old ecommerce code that did the redirects and return url on that page rather then using a proc.

I will file a ticket in ecommerce giving people a heads up. However, I am using the regular registration with my ecommerce site. Out-of-the-box ecommerce is still using its own registration which is completely untested with 5.0.

Collapse
Posted by James Harris on
I have just added SSL to my site (OACS 5.01) and logins get redirected to https and then don't get redirected back to http.  This is outside of the ecommerce module - should I file a bug report?
Jorge, can you do a bit of testing to try to narrow down the problem.

Please test if its happening consistantly or just from one page. Trying to  access  acs-admin while not logged in is how I usually test this.

If the problem is not consistant take a look at the code that is initicating the redirect.

If its consistant everywhere in your site take a look at your kernal parameters, sanity check them all.  Try it with and without force_host_p.

Sorry, the previous post was for James not Jorge :)
Collapse
Posted by James Harris on
I figured that!  😉

The problem is consistent from all pages including acs-admin as well as non-admin pages.

As far as I can tell, my kernel parameters look fairly sane and the problem occurs with ForceHostP set to 0 or 1.  Are there any I should particularly be looking at?

Incidentially, I noticed that the upgrade from 5 to 5.01 reset ForceHostP to 0 (as well as overwriting my customised acs-subsite/www/index.adp file).

Hmm, I don't have a site with 5.01 and https to test.

The proc that does the magic of returning you to http is
ad_get_login_url

It checks

if { [security::secure_conn_p] || ![security::RestrictLoginToSSLP] } {
            set return_url [ad_return_url]
        } else {
            set return_url [ad_return_url -qualified]
        }

So definitely check your settings on RestrictLoginToSSLP.

Next you can see if this proc or ad_return_url has any changes from 5.0 to 5.01