Re: [VuFind-Tech] secure login

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

We use mod_rewrite to force everyone to use SSL all the time in order to 
prevent session hijacking.

I doubt that using mod_rewrite would work as quick sniff using Wireshark 
shows that mod_rewrite sends a 302 Found to redirect the user to the 
page with SSL.  I think that would also lose data that you are POSTing 
as part of your request.

If I had to only login using SSL, I would likely hardcode the action in 
web/interface/themes/<your theme>/MyResearch/login.tpl to use SSL.

Hope that helps,
Phil Fenstermacher

On 06/15/2011 03:16 PM, vuf...@li... wrote:

I've been trying to secure our logins by using https. I don't want to 
run vufind as a whole under https, just the login page. There are three 
login situations I know of:

   1.  Login from the 'Login' link leading to the default MyResearch page
   2.  Login using the lightbox and JSON
   3.  Login triggered by an action which sets a 'followupAction'.

  I'm ignoring case 2 as it encrypts the password itself, even without 
https.

My first attempt at this was making the login form submit to https 
instead of http, then in MyResearch.php checking whether we are on port 
443, and if so using header() to redirect back to port 80. This works 
fine for 1. but not for 3 - the followupAction etc are POST variables 
which get lost on the redirect. I haven't managed to come up with a 
method that avoids this. One alternative might be to use apache rewrite 
rules, but short of listing all the pages which might include a login as 
exceptions (and then having to change the rules whenever a new feature 
is added) I can't see how to do that.

Does anyone have a straightforward method that works?

Graham

-- 
Phil Fenstermacher
Systems Engineer
Swem Library - College of William & Mary
757.221.3112