[ic] ExtraSecure and special_pages/violation

Jon Jensen jon at endpoint.com
Thu Dec 17 03:24:46 UTC 2009

On Wed, 16 Dec 2009, Thomas J.M. Burton wrote:

> I've come across the issue of being able to access pages that are set in 
> the AlwaysSecure config setting using a direct URL and the http protocol 
> rather than https. From what I've been able to find on the users list 
> and in the docs, it appears that if ExtraSecure is enabled and an 
> AlwaysSecure page is accessed via http rather than https (directly, from 
> a browser's location bar), the user is redirected to the 
> special_pages/violation page.
> The problem that I see is that the violation page contains a login form, 
> indicating that the page is only accessible if they are logged in. 
> However, if an AlwaysSecure page is accessed directly through an http 
> url in the browser's address bar AND the user is already logged in, the 
> violation page is displayed with a "you are already logged in" message.

That sounds kind of confusing for users. :)

> From a look into lib/Vend/Page.pm, it would appear that the violation
> special page is only called in a couple of specific cases, those being:
>    - the requested page's name contains scripting characters
>    - the requested page is set to be always secure, ExtraSecure is
> enabled, and the page has been accessed via http
> If these are the only two circumstances that call the violation page, it
> seems that a login form is not the appropriate content to deliver. Would
> it not be more appropriate for the violation page to either redirect to
> the requested page using https or display an error message?

I can't think of why a login form would be there. It could be a relic from 
an older demo predating the Standard demo, because the 
dist/standard/special_pages/violation.html file hasn't changed since its 
initial import into version control.

> Perhaps the decision to use the login form approach was intentional in 
> handling injection attempts. If that's the case, would it cause any 
> problems if the violation page's content were to be something like the 
> following?
> [if session shost]
> ...standard violation content w/ login/logout messages & forms...
> [else]
> ...bounce to secure url of requested page ...
> [/else]
> [/if]

I think that sounds good, except I'd remove the login form. Standard has 
its normal pages/login.html form that should be used.

Can you put together an improved violation page and push it to a GitHub 
fork, or some other place we can get it?



Jon Jensen
End Point Corporation

More information about the interchange-users mailing list