[ic] ExtraSecure and special_pages/violation
jon at endpoint.com
Thu Dec 17 03:24:46 UTC 2009
On Wed, 16 Dec 2009, Thomas J.M. Burton wrote:
> I've come across the issue of being able to access pages that are set in
> the AlwaysSecure config setting using a direct URL and the http protocol
> rather than https. From what I've been able to find on the users list
> and in the docs, it appears that if ExtraSecure is enabled and an
> AlwaysSecure page is accessed via http rather than https (directly, from
> a browser's location bar), the user is redirected to the
> special_pages/violation page.
> The problem that I see is that the violation page contains a login form,
> indicating that the page is only accessible if they are logged in.
> However, if an AlwaysSecure page is accessed directly through an http
> url in the browser's address bar AND the user is already logged in, the
> violation page is displayed with a "you are already logged in" message.
That sounds kind of confusing for users. :)
> From a look into lib/Vend/Page.pm, it would appear that the violation
> special page is only called in a couple of specific cases, those being:
> - the requested page's name contains scripting characters
> - the requested page is set to be always secure, ExtraSecure is
> enabled, and the page has been accessed via http
> If these are the only two circumstances that call the violation page, it
> seems that a login form is not the appropriate content to deliver. Would
> it not be more appropriate for the violation page to either redirect to
> the requested page using https or display an error message?
I can't think of why a login form would be there. It could be a relic from
an older demo predating the Standard demo, because the
dist/standard/special_pages/violation.html file hasn't changed since its
initial import into version control.
> Perhaps the decision to use the login form approach was intentional in
> handling injection attempts. If that's the case, would it cause any
> problems if the violation page's content were to be something like the
> [if session shost]
> ...standard violation content w/ login/logout messages & forms...
> ...bounce to secure url of requested page ...
I think that sounds good, except I'd remove the login form. Standard has
its normal pages/login.html form that should be used.
Can you put together an improved violation page and push it to a GitHub
fork, or some other place we can get it?
End Point Corporation
More information about the interchange-users