#565: Always using HTTPS for logged-in users
----------------------------------+------------------
Reporter: skaplun | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: v1.1
Component: WebSession | Version:
Keywords: HTTPS session cookie |
----------------------------------+------------------
Because of cookie stealing nowadays made easy, thanks to Firefox plugins
such as [http://codebutler.com/firesheep Firesheep], and theoretical IP
spoofing made possible (e.g. when the attacker is behind the same proxy)
the current session protection of Invenio is not enough.
To fully switch to use HTTPS everywhere is now necessary.
For this reason several steps and features must be implemented
* Removing explicit reference to CFG_SITE_URL/CFG_SITE_SECURE_URL
'''everywhere''' (in templates etc.)
* To declare as ''Secure'' the session cookie (so that browsers don't try
to inadvertently send it via HTTP).
* To add a new cookie that is used as a flag for the server to know (even
when the user is using HTTP) that the user is somehow logged-in, so that
the server would then redirect the user to HTTPS for fully authenticate
the user (imagine the user is logged-in, but then follows a URL to Invenio
that he received via email and that is using HTTP).
* To raise an exception, when using CFG_DEVEL_SITE, everytime HTTP is used
for logged in users (e.g. when using regression tests)
* To enhance bfe_ elements providing URLs to restricted fulltext, to
dynamically decide whether to use HTTP or HTTPS (while currently this is
hardcoded in the MARC)
--
Ticket URL: <http://invenio-software.org/ticket/565>
Invenio <http://invenio-software.org>
