[ic] AlwaysSecure for selected search results

Angus Rogerson arogerso at admmail.uwaterloo.ca
Thu Jun 12 15:21:09 UTC 2008


On Thu, 12 Jun 2008, Rick Bragg <lists at gmnet.net> wrote:

> On Wed, 2008-06-11 at 20:57 -0400, Angus Rogerson wrote:
>> I have a number of ways of searching books in our university bookstore -
>> author, title, course etc. I also have one search which provides a
>> personal booklist based on confidential course registration information
>> from the registrar. The customer must authenticate (using JA-SIG CAS) to
>> use this search. The authentication works but only when I have 'secure'
>> set properly. There are some scenarios where secure is not set.
>>
>> AlwaysSecure lets me choose particular pages which must use the SecureURL
>> instead of VendURL. However, all searches come up as search.html, so
>> AlwaysSecure is all or nothing for search results.
>>
>> Is there an equivalent to AlwaysSecure which will let me specify the
>> search results for one type of search as secure, and not require the other
>> types to be secure.
>>
>> So, require this
>>  	search.html?mv_profile=student_search
>> which displays
>>  	results_student.html
>> to always be secure.
>>
>> But, allow this
>>  	search.html?mv_profile=author_search
>> which displays
>>  	results_author.html
>> to not be secure.
>>
>> Thanks in advance.
>>
>> Angus
>>
>> Angus Rogerson
>> Retail Services,
>> University of Waterloo
>> Waterloo, Ontario
>
> Maybe I am not understanding your setup, but Try in the form you want
> secure:
>
> <form action="[process secure=1]" method="POST">
>
> Is this what you need?

Not quite. I already have this in the search box:

     <form ACTION="[area href=search secure=1]" METHOD=post>
         <INPUT TYPE=hidden NAME=mv_profile VALUE=search_student>

which makes the results page use the SecureURL. The problem occurs when I 
place an order from the results page. When I display the results they are 
in a form like this:
         <form name="courseSubmit" ACTION="[area href=nothing secure=1]" METHOD=POST>
             <input TYPE=hidden NAME=mv_session_id value="[data session id]">
             <input TYPE=hidden NAME=mv_action VALUE=refresh>
             <input type="hidden" name="mv_click" value="munge_quantity">

When I order an item or group of items, the item(s) get(s) added to the 
cart but I return to a non-secure page. The URL to return to is either 
generated from mv_action/mv_nextpage/mv_succespage/etc or from the 
[history-scan] tag. The history-scan tag does not include the base, 
because Session->{History} just saves the page name. (I suppose I might be 
able to code a secure option for the history-scan tag, or maybe a secure 
flag in the [bounce] in munge quantity.)

I am also concerned that some (non-programmer) web developer may one day 
decide to link to this search and not put in the secure=1. Something like 
AlwaysSecure would help protect users from that mistake.

Thanks in advance for any other suggestions ...

Angus




More information about the interchange-users mailing list