[Rt-devel] Force https login patch (request for comments)

Paulo Matos pjsm at fct.unl.pt
Thu Jan 5 23:21:55 EST 2006


Hi folks!

I wrote the attached patch to force user authentication through https 
instead of being clear. After authentication the user can be back to http
to reduce the cost of SSL encryption if we are not dealing with sensitive
information.

I would like to receive some comments on the code, since this might not 
cover all the cases and/or won't be the best way to do it. 

I found a related patch on the archives, that goes further and if you have 
a https only instalation cookies are only sent by the browser when a 
secure connection is established, see more at:

rt3: secure cookie patch [3.2.2] (Pavel Ruzicka,  2005-06-24 13:22)
http://archives.free.net.ph/message/20050624.122213.6583ec22.en.html

This could be combined with a set of configuration options, like:
- Stay on secure mode after authentication;
- Force secure login;
- Secure mode only;

Regards,

-- 
	Paulo Matos
 ----------------------------------- ----------------------------------
|Sys & Net Admin                    | Centro de Informática            |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2948596             |
|Universidade Nova de Lisboa        | Fax: +351-21-2948548             |
|P-2829-516 Caparica                | e-Mail: pjsm at fct.unl.pt          |
 ----------------------------------- ----------------------------------
-------------- next part --------------
#
# rt-3.4.4-ForceHTTPSLogin.patch
#
# Warning: this patch is under devel, barely tested!!!
#
# * 2005.01.06 Paulo Matos <paulo.matos at fct.unl.pt>
# - Redirect to https when credentials are not found;
# - Redirect to http when credentials are found;
# - Changed cookiename removing SERVER_PORT. 
#
diff -uNr rt-3.4.4.orig/html/autohandler rt-3.4.4/html/autohandler
--- rt-3.4.4.orig/html/autohandler	2005-02-01 14:20:40.000000000 +0000
+++ rt-3.4.4/html/autohandler	2006-01-06 03:51:29.000000000 +0000
@@ -72,6 +72,11 @@
         
 $m->comp('/Elements/SetupSessionCookie', %ARGS);
 
+# check credentials and HTTPS, if so redirect to HTTP
+if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id && $ENV{'HTTPS'}) {
+    $m->redirect('http://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+}
+
 unless ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
     $session{'CurrentUser'} = RT::CurrentUser->new();
 }
@@ -218,6 +223,10 @@
 
 # If we have no credentials
 else {
+    # check if we are in HTTPS mode
+    if (! $ENV{'HTTPS'} ) {
+         $m->redirect('https://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+    }
     $m->comp('/Elements/Login', %ARGS);
     $m->abort();
 }
diff -uNr rt-3.4.4.orig/html/Elements/SetupSessionCookie rt-3.4.4/html/Elements/SetupSessionCookie
--- rt-3.4.4.orig/html/Elements/SetupSessionCookie	2005-04-18 02:44:50.000000000 +0100
+++ rt-3.4.4/html/Elements/SetupSessionCookie	2006-01-06 03:51:46.000000000 +0000
@@ -47,7 +47,9 @@
 return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook
 
 my %cookies = CGI::Cookie->fetch();
-my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+# removed SERVER_PORT from cookie name so it can be valid on HTTP and HTTPS
+#my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+my $cookiename = "RT_SID_".$RT::rtname.".".'0000';
 my %backends = (
     mysql	=> 'Apache::Session::MySQL',
     Pg		=> 'Apache::Session::Postgres',


More information about the Rt-devel mailing list