[Rt-devel] Force https login patch (request for comments)
Paulo Matos
pjsm at fct.unl.pt
Thu Jan 5 23:21:55 EST 2006
Hi folks!
I wrote the attached patch to force user authentication through https
instead of being clear. After authentication the user can be back to http
to reduce the cost of SSL encryption if we are not dealing with sensitive
information.
I would like to receive some comments on the code, since this might not
cover all the cases and/or won't be the best way to do it.
I found a related patch on the archives, that goes further and if you have
a https only instalation cookies are only sent by the browser when a
secure connection is established, see more at:
rt3: secure cookie patch [3.2.2] (Pavel Ruzicka, 2005-06-24 13:22)
http://archives.free.net.ph/message/20050624.122213.6583ec22.en.html
This could be combined with a set of configuration options, like:
- Stay on secure mode after authentication;
- Force secure login;
- Secure mode only;
Regards,
--
Paulo Matos
----------------------------------- ----------------------------------
|Sys & Net Admin | Centro de Informática |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2948596 |
|Universidade Nova de Lisboa | Fax: +351-21-2948548 |
|P-2829-516 Caparica | e-Mail: pjsm at fct.unl.pt |
----------------------------------- ----------------------------------
-------------- next part --------------
#
# rt-3.4.4-ForceHTTPSLogin.patch
#
# Warning: this patch is under devel, barely tested!!!
#
# * 2005.01.06 Paulo Matos <paulo.matos at fct.unl.pt>
# - Redirect to https when credentials are not found;
# - Redirect to http when credentials are found;
# - Changed cookiename removing SERVER_PORT.
#
diff -uNr rt-3.4.4.orig/html/autohandler rt-3.4.4/html/autohandler
--- rt-3.4.4.orig/html/autohandler 2005-02-01 14:20:40.000000000 +0000
+++ rt-3.4.4/html/autohandler 2006-01-06 03:51:29.000000000 +0000
@@ -72,6 +72,11 @@
$m->comp('/Elements/SetupSessionCookie', %ARGS);
+# check credentials and HTTPS, if so redirect to HTTP
+if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id && $ENV{'HTTPS'}) {
+ $m->redirect('http://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+}
+
unless ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
$session{'CurrentUser'} = RT::CurrentUser->new();
}
@@ -218,6 +223,10 @@
# If we have no credentials
else {
+ # check if we are in HTTPS mode
+ if (! $ENV{'HTTPS'} ) {
+ $m->redirect('https://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI});
+ }
$m->comp('/Elements/Login', %ARGS);
$m->abort();
}
diff -uNr rt-3.4.4.orig/html/Elements/SetupSessionCookie rt-3.4.4/html/Elements/SetupSessionCookie
--- rt-3.4.4.orig/html/Elements/SetupSessionCookie 2005-04-18 02:44:50.000000000 +0100
+++ rt-3.4.4/html/Elements/SetupSessionCookie 2006-01-06 03:51:46.000000000 +0000
@@ -47,7 +47,9 @@
return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook
my %cookies = CGI::Cookie->fetch();
-my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+# removed SERVER_PORT from cookie name so it can be valid on HTTP and HTTPS
+#my $cookiename = "RT_SID_".$RT::rtname.".".$ENV{'SERVER_PORT'};
+my $cookiename = "RT_SID_".$RT::rtname.".".'0000';
my %backends = (
mysql => 'Apache::Session::MySQL',
Pg => 'Apache::Session::Postgres',
More information about the Rt-devel
mailing list