OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Patch: support force_login_ssl properly

OCS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, michael

Forum rules
Developer Resources:

Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page. While these are OJS-specific, the OCS codebase is similar enough to OJS they should be of help. There is also an [url=http://pkp.sfu.ca/ocs_documentation[/url]OCS Documentation[/url] page with some more general documentation that might also be of interest.

Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.

Bugzilla: You can access our Bugzilla report tracker here.

Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.

Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OCS Conference Support and Discussion subforum; if you have a technical support question, try the OCS Technical Support subforum.

Patch: support force_login_ssl properly

Postby derekp » Wed Mar 19, 2008 3:33 pm

This patch fixes the Request::url(...) function to generate HTTPS URLs where required. Without this patch, resources (the login controller in particular) are not adequately protected by SSL. With force_login_ssl=On in config.inc.php, users would transmit their credentials over plaintext HTTP before being redirected to HTTPS.

This is not an elegant patch, since it hard-codes special cases into a generic function, but it is an effective solution.

Code: Select all
--- ocs-2.0.0-1/classes/core/Request.inc.php.forcessl   2007-04-10 13:45:06.000000000 -0700
+++ ocs-2.0.0-1/classes/core/Request.inc.php    2008-03-18 11:48:55.793930000 -0700
@@ -715,5 +715,10 @@
                }

-               return ((empty($overriddenBaseUrl)?Request::getIndexUrl():$overriddenBaseUrl) . $baseParams . $pathString . $additionalParams . $anchor);
+               $url = ((empty($overriddenBaseUrl)?Request::getIndexUrl():$overriddenBaseUrl) . $baseParams . $pathString . $additionalParams . $anchor);
+               if ( ($page == 'login' && $op == 'signIn' && Config::getVar('security', 'force_login_ssl')) ||
+                    Config::getVar('security', 'force_ssl') ) {
+                       $url = preg_replace('/^http:/', 'https:', $url);
+               }
+               return $url;
        }
 }
derekp
 
Posts: 16
Joined: Wed Oct 10, 2007 12:45 am
Location: University of British Columbia

Return to OCS Development

Who is online

Users browsing this forum: No registered users and 2 guests