Forum OpenACS Q&A: restrict login to ssl

Collapse
Posted by Lokman Tsui on
hi!

i have succesfully set up openacs 4.6.2 with
postgresql 7.2.2 and am now configuring it.

i came upon the following problem:
i want to login secure using ssl, but the rest of the site
should be viewed unencrypted. how can i do this?

i found the parameter "restrictToSSL" but obviously
setting this to /* is not going to solve my problem.

any ideas?

thanks!

Collapse
2: Re: restrict login to ssl (response to 1)
Posted by Bruno Mattarollo on

The login screen is usually under /register/ so you can make this particular URL to be SSL only. There is a proc called ad_restrict_to_https that is your friend.

Hope this helps.

Collapse
3: Re: restrict login to ssl (response to 2)
Posted by Joel Aufrecht on
I played with this before - setting up a web site so that it is impossible for a user to send their password in plain text.  I was able to accomplish it with just the parameters (in kernel and site map, I think) but 1) I didn't fully test by sniffing the HTTP streams, so I'm not sure the password doesn't go through and 2) It broke a lot of graphics and stylesheets.  This would be a nice thing to have written up as a feature request, because it ought to be a single check-box in the parameters.
Collapse
4: Re: restrict login to ssl (response to 1)
Posted by Matthew Geddert on
you need to do these things (on a standard openacs install)...

Edit the "RestrictToSSL" parameter for your main subsite (by default it is called "Main Site" if you haven't renamed it): to include "/register/*". here is an example of the entries in "RestrictToSSL" from a site i run:

acs-admin/* admin/* register/* pvt/* user/* */admin/*
Then you need to edit the packages/acs-tcl/tcl/security-procs.tcl file to include references to all your graphics folders, this is what mine looks like:
ad_proc -private ad_login_page {} {

    Returns 1 if the page is used for logging in, 0 otherwise.

} {

    set url [ad_conn url]
    if { [string match "*register/*" $url] || [string match "/index*" $url] || [string match "/graphics*" $url] || [string match "/graphics/colors*" $url] ||\
 \
            [string match "/" $url] } {
        return 1
    }

    return 0
}
Collapse
5: Re: restrict login to ssl (response to 1)
Posted by Matthew Geddert on
oh, another thing... in order to make the site faster... you want to re-route the users back to a regular http connection... the way to do this is to include the site name in the links to the main sections of your site in your default template master... i.e. instead of linking to home like this:
<a href="/">Home</a>
you specify that you want them back on http:
<a href="http://www.mysite.com/">Home</a>
That way they will leave the slower https connction... you also need to route the logout button to https to avoid problems... i.e. in your default master the link needs to be:
<a href="https://www.mysite.com/register/logout">Logout</a>
If they are not routed to the https page they and only to an http page to log out they will only be logged out on the insecure site, but still remain logged in on the secure site... this logout thing should be taken care of by the parameters, but that requires a redirect to the browser so it is faster to have the hard link to https in your master template.