[ic] AlwaysSecure for selected search results
Peter
peter at pajamian.dhs.org
Thu Jun 12 22:25:07 UTC 2008
On 06/12/2008 08:21 AM, Angus Rogerson wrote:
> On Thu, 12 Jun 2008, Rick Bragg <lists at gmnet.net> wrote:
>
>> On Wed, 2008-06-11 at 20:57 -0400, Angus Rogerson wrote:
>>> I have a number of ways of searching books in our university bookstore -
>>> author, title, course etc. I also have one search which provides a
>>> personal booklist based on confidential course registration information
>>> from the registrar. The customer must authenticate (using JA-SIG CAS) to
>>> use this search. The authentication works but only when I have 'secure'
>>> set properly. There are some scenarios where secure is not set.
>>>
>>> AlwaysSecure lets me choose particular pages which must use the SecureURL
>>> instead of VendURL. However, all searches come up as search.html, so
>>> AlwaysSecure is all or nothing for search results.
>>>
>>> Is there an equivalent to AlwaysSecure which will let me specify the
>>> search results for one type of search as secure, and not require the other
>>> types to be secure.
>>>
>>> So, require this
>>> search.html?mv_profile=student_search
>>> which displays
>>> results_student.html
>>> to always be secure.
>>>
>>> But, allow this
>>> search.html?mv_profile=author_search
>>> which displays
>>> results_author.html
>>> to not be secure.
>>>
>>> Thanks in advance.
>>>
>>> Angus
>>>
>>> Angus Rogerson
>>> Retail Services,
>>> University of Waterloo
>>> Waterloo, Ontario
>> Maybe I am not understanding your setup, but Try in the form you want
>> secure:
>>
>> <form action="[process secure=1]" method="POST">
>>
>> Is this what you need?
>
> Not quite. I already have this in the search box:
>
> <form ACTION="[area href=search secure=1]" METHOD=post>
> <INPUT TYPE=hidden NAME=mv_profile VALUE=search_student>
>
> which makes the results page use the SecureURL. The problem occurs when I
> place an order from the results page. When I display the results they are
> in a form like this:
> <form name="courseSubmit" ACTION="[area href=nothing secure=1]" METHOD=POST>
> <input TYPE=hidden NAME=mv_session_id value="[data session id]">
> <input TYPE=hidden NAME=mv_action VALUE=refresh>
> <input type="hidden" name="mv_click" value="munge_quantity">
>
> When I order an item or group of items, the item(s) get(s) added to the
> cart but I return to a non-secure page. The URL to return to is either
> generated from mv_action/mv_nextpage/mv_succespage/etc or from the
> [history-scan] tag. The history-scan tag does not include the base,
> because Session->{History} just saves the page name. (I suppose I might be
> able to code a secure option for the history-scan tag, or maybe a secure
> flag in the [bounce] in munge quantity.)
[history-scan] uses the [area] tag to compose the URLs so they will
honor AlwaysSecure for the individual pages. They will also honor the
mv_match_security scratch which when set will cause all links to be
secure if the current page is secure.
If you want all links to remain secure once a secure page is presented
in all cases then put this in your catalog.cfg:
ScratchDefault mv_match_security 1
> I am also concerned that some (non-programmer) web developer may one day
> decide to link to this search and not put in the secure=1. Something like
> AlwaysSecure would help protect users from that mistake.
Unfortunately AlwaysSecure only keys on the page name, not the arguments
that are passed or the profile used for a search.
Peter
More information about the interchange-users
mailing list