[ic] AlwaysSecure for selected search results

Peter peter at pajamian.dhs.org
Thu Jun 12 22:25:07 UTC 2008

On 06/12/2008 08:21 AM, Angus Rogerson wrote:
> On Thu, 12 Jun 2008, Rick Bragg <lists at gmnet.net> wrote:
>> On Wed, 2008-06-11 at 20:57 -0400, Angus Rogerson wrote:
>>> I have a number of ways of searching books in our university bookstore -
>>> author, title, course etc. I also have one search which provides a
>>> personal booklist based on confidential course registration information
>>> from the registrar. The customer must authenticate (using JA-SIG CAS) to
>>> use this search. The authentication works but only when I have 'secure'
>>> set properly. There are some scenarios where secure is not set.
>>> AlwaysSecure lets me choose particular pages which must use the SecureURL
>>> instead of VendURL. However, all searches come up as search.html, so
>>> AlwaysSecure is all or nothing for search results.
>>> Is there an equivalent to AlwaysSecure which will let me specify the
>>> search results for one type of search as secure, and not require the other
>>> types to be secure.
>>> So, require this
>>>  	search.html?mv_profile=student_search
>>> which displays
>>>  	results_student.html
>>> to always be secure.
>>> But, allow this
>>>  	search.html?mv_profile=author_search
>>> which displays
>>>  	results_author.html
>>> to not be secure.
>>> Thanks in advance.
>>> Angus
>>> Angus Rogerson
>>> Retail Services,
>>> University of Waterloo
>>> Waterloo, Ontario
>> Maybe I am not understanding your setup, but Try in the form you want
>> secure:
>> <form action="[process secure=1]" method="POST">
>> Is this what you need?
> Not quite. I already have this in the search box:
>      <form ACTION="[area href=search secure=1]" METHOD=post>
>          <INPUT TYPE=hidden NAME=mv_profile VALUE=search_student>
> which makes the results page use the SecureURL. The problem occurs when I 
> place an order from the results page. When I display the results they are 
> in a form like this:
>          <form name="courseSubmit" ACTION="[area href=nothing secure=1]" METHOD=POST>
>              <input TYPE=hidden NAME=mv_session_id value="[data session id]">
>              <input TYPE=hidden NAME=mv_action VALUE=refresh>
>              <input type="hidden" name="mv_click" value="munge_quantity">
> When I order an item or group of items, the item(s) get(s) added to the 
> cart but I return to a non-secure page. The URL to return to is either 
> generated from mv_action/mv_nextpage/mv_succespage/etc or from the 
> [history-scan] tag. The history-scan tag does not include the base, 
> because Session->{History} just saves the page name. (I suppose I might be 
> able to code a secure option for the history-scan tag, or maybe a secure 
> flag in the [bounce] in munge quantity.)

[history-scan] uses the [area] tag to compose the URLs so they will 
honor AlwaysSecure for the individual pages.  They will also honor the 
mv_match_security scratch which when set will cause all links to be 
secure if the current page is secure.

If you want all links to remain secure once a secure page is presented 
in all cases then put this in your catalog.cfg:
ScratchDefault mv_match_security 1

> I am also concerned that some (non-programmer) web developer may one day 
> decide to link to this search and not put in the secure=1. Something like 
> AlwaysSecure would help protect users from that mistake.

Unfortunately AlwaysSecure only keys on the page name, not the arguments 
that are passed or the profile used for a search.


More information about the interchange-users mailing list