Feature Proposal: Topic tag to render topics using SSL (https)
Motivation
TWikis that sometimes use SSL need a way to determine which links, topics and attachments should use SSL.
Description
I would like to be able to set a metatag or a variable that would specify if a topic and it's attachments are linked and rendered using SSL (https). All other topics and their attacments would be linked and rendered without using SSL (http). Some common topics that most sites should always secure are
DoLogin and
TWikiRegistration.
--
RobKirk - 01 Aug 2005
Impact and Available Solutions
Documentation
If necessary, user documentation of new features introduced by this proposal.
Examples
Example uses of features introduced by proposal.
Implementation
Any comments on how the feature is implemented or could be improved
Discussion:
CDot suggested I use mod_rewrite to accomplish this. Agree? Disagree? What would the performance difference be?
--
RobKirk - 01 Aug 2005
I'd
realy like to see this feature in TWiki. Something like
* Set USESSL = TRUE
to protect the current topic. But actually we need to secure oops messages
presenting a login page as well making this an
AuthPagePlugin issue also.
I disagree with CDot on using mod_rewrite. This would be realy awkward and need
a shell access to change the rewrite rules. By the way, not everybody wants to
dig into the apache docus to figure out how to write mod_rewrite rules.
Adding a
USESSL
is
much easier.
Actually, I'd like to extend the ssl proposal a little:
optionally protect
any authenticated connection using https, fall back to http
for guests. Reason: there's no point in restricting view access to a web or topic
while leaving it readable for a man in the middle. So when some config variable
(e.g.
DoEncryption
) is set to true all TWiki links will be rendered using https for
non-guests. Beat me, how could this be done with mod_rewrite?
--
MichaelDaum - 01 Aug 2005
Actually, Michael, when including non-authenticated resources on a topic, you don't always want to use SSL. I originally setup my site to use SSL on every single page, but that became a real pain when I tried to use pictures from my non-ssl domain in any twiki topics. Makes sense that the browser (IE) displayed a Security Information dialog saying "This page contains both secure and nonsecure items. Do you want to display the nonsecure items? [Yes] [No] [More Info]" ... that scared my end users since they didn't know the reason behind it ... they just clicked [No]. Perhaps there is a way around this. I wouldn't be opposed to having pages with restricted permissions displayed using SSL by default and those with open permissions being displayed without SSL by default. I image this would be configurable using a global variable and each default could be overriden using a topic or web variable.
--
RobKirk - 01 Aug 2005