ACS Documentation : ACS Kernel Documentation : Security Documentation : Developing for Security
This method of authentication is important in order to establish, in as strong a manner as possible, the identity of the owner of the secure token. In order for the security system to offer stronger guarantees of someone who issues a secure token, the method of authentication must be as strong as the method of transmission.
If a developer truly does not want such a level of protection,
this system can be disabled via source code modification only. This
can be accomplished by commenting out the following lines in the
sec_handler procedure defined in
security-procs.tcl:
if { [ad_secure_conn_p] && ![ad_login_page] } {
set s_token_cookie [ns_urldecode [ad_get_cookie "ad_secure_token"]]
if { [empty_string_p $s_token_cookie] || [string compare $s_token_cookie [lindex [sec_get_session_info $session_id] 2]] != 0 } {
# token is incorrect or nonexistent, so we force relogin.
ad_returnredirect "/register/index?return_url=[ns_urlencode [ad_conn url]?[ad_conn query]]"
}
}
The source code must also be edited if the user login pages have
been moved out of an ACS system. This information is contained by the
ad_login_page procedure in
security-procs.tcl:
ad_proc -private ad_login_page {} {
Returns 1 if the page is used for logging in, 0 otherwise.
} {
set url [ad_conn url]
if { [string match "*register/*" $url] || [string match "/index*" $url] } {
return 1
}
return 0
}
The set of string match expressions in the procedure above should be
extended appropriately for other registration pages. This procedure
does not use ad_parameter or regular expressions for
performance reasons, as it is called by the request processor.