[ic] AlwaysSecure for selected search results
Angus Rogerson
arogerso at admmail.uwaterloo.ca
Thu Jun 12 15:21:09 UTC 2008
On Thu, 12 Jun 2008, Rick Bragg <lists at gmnet.net> wrote:
> On Wed, 2008-06-11 at 20:57 -0400, Angus Rogerson wrote:
>> I have a number of ways of searching books in our university bookstore -
>> author, title, course etc. I also have one search which provides a
>> personal booklist based on confidential course registration information
>> from the registrar. The customer must authenticate (using JA-SIG CAS) to
>> use this search. The authentication works but only when I have 'secure'
>> set properly. There are some scenarios where secure is not set.
>>
>> AlwaysSecure lets me choose particular pages which must use the SecureURL
>> instead of VendURL. However, all searches come up as search.html, so
>> AlwaysSecure is all or nothing for search results.
>>
>> Is there an equivalent to AlwaysSecure which will let me specify the
>> search results for one type of search as secure, and not require the other
>> types to be secure.
>>
>> So, require this
>> search.html?mv_profile=student_search
>> which displays
>> results_student.html
>> to always be secure.
>>
>> But, allow this
>> search.html?mv_profile=author_search
>> which displays
>> results_author.html
>> to not be secure.
>>
>> Thanks in advance.
>>
>> Angus
>>
>> Angus Rogerson
>> Retail Services,
>> University of Waterloo
>> Waterloo, Ontario
>
> Maybe I am not understanding your setup, but Try in the form you want
> secure:
>
> <form action="[process secure=1]" method="POST">
>
> Is this what you need?
Not quite. I already have this in the search box:
<form ACTION="[area href=search secure=1]" METHOD=post>
<INPUT TYPE=hidden NAME=mv_profile VALUE=search_student>
which makes the results page use the SecureURL. The problem occurs when I
place an order from the results page. When I display the results they are
in a form like this:
<form name="courseSubmit" ACTION="[area href=nothing secure=1]" METHOD=POST>
<input TYPE=hidden NAME=mv_session_id value="[data session id]">
<input TYPE=hidden NAME=mv_action VALUE=refresh>
<input type="hidden" name="mv_click" value="munge_quantity">
When I order an item or group of items, the item(s) get(s) added to the
cart but I return to a non-secure page. The URL to return to is either
generated from mv_action/mv_nextpage/mv_succespage/etc or from the
[history-scan] tag. The history-scan tag does not include the base,
because Session->{History} just saves the page name. (I suppose I might be
able to code a secure option for the history-scan tag, or maybe a secure
flag in the [bounce] in munge quantity.)
I am also concerned that some (non-programmer) web developer may one day
decide to link to this search and not put in the secure=1. Something like
AlwaysSecure would help protect users from that mistake.
Thanks in advance for any other suggestions ...
Angus
More information about the interchange-users
mailing list