<div dir="ltr"><div><div><div>Please don't force HTTPS in the software. I'll explain why I'm making that request here.<br><br></div>First, it's easy to force HTTPS in the apache config for the vhosts, I've done this. It's a simple matter of a redirect on the port 80 vhost pointed at the https vhost. This is where certificates would likely be configured anyway, so I think this is a reasonable way to do it.<br>
<br>I've been playing with setting up a web server farm, with a fail-over pair of reverse-proxy servers as the front. As a performance measure communication between the proxies and the worker nodes is done over plain http (because I trust my LAN enough for that). I ran into a problem with my tests though where a web app forced https in the software, it produced a redirect loop, because the worker would respond with a http meta redirect to the https port but the web browser was already using that port. Luckly I would turn off that feature in the software.<br>
<br></div>I understand that forcing https in the software is a good security measure. I'm just asking that it be controlled by a system preference, or be made an optional section in the apache config file in consideration of those who would like to avoid the overhead added by https.<br>
<br></div>Thanks for your consideration.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, May 30, 2013 at 12:18 PM, Galen Charlton <span dir="ltr"><<a href="mailto:gmc@esilibrary.com" target="_blank">gmc@esilibrary.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class="im"><br>
On Wed, May 29, 2013 at 3:58 PM, Robin Sheat <<a href="mailto:robin@catalyst.net.nz">robin@catalyst.net.nz</a>> wrote:<br>
> Standard session cookies combined with running over HTTPS is really the<br>
> only way. It comes down to threat modelling really: is session hijacking<br>
> something that you feel you care about? (It's perfectly reasonable to<br>
> say either yes, no, or only on the staff client, depending on your<br>
> circumstances.)<br>
<br>
</div>I'd personally be happy with requiring SSL for the staff interface and<br>
the OPAC throughout on the basis that patron information is sensitive<br>
enough to demand that level of care.<br>
<br>
However, because of the general support issues that would arise around<br>
SSL certs, I suspect that Koha jumping on the HTTPS Everywhere<br>
bandwagon will likely have to remain a recommended practice rather<br>
than a requirement or installation default.<br>
<div class="im"><br>
> To make it a bit more secure we could use a different session for the<br>
> staff client vs. the OPAC. At the moment we use the same for both, so<br>
> someone capturing a session cookie from a staff member logged into the<br>
> OPAC can use that to access the staff client.<br>
<br>
</div>I think this is a good idea.<br>
<div class="HOEnZb"><div class="h5"><br>
Regards,<br>
<br>
Galen<br>
--<br>
Galen Charlton<br>
Manager of Implementation<br>
Equinox Software, Inc. / The Open Source Experts<br>
email: <a href="mailto:gmc@esilibrary.com">gmc@esilibrary.com</a><br>
direct: +1 770-709-5581<br>
cell: +1 404-984-4366<br>
skype: gmcharlt<br>
web: <a href="http://www.esilibrary.com/" target="_blank">http://www.esilibrary.com/</a><br>
Supporting Koha and Evergreen: <a href="http://koha-community.org" target="_blank">http://koha-community.org</a> &<br>
<a href="http://evergreen-ils.org" target="_blank">http://evergreen-ils.org</a><br>
_______________________________________________<br>
Koha-devel mailing list<br>
<a href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a><br>
<a href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a><br>
website : <a href="http://www.koha-community.org/" target="_blank">http://www.koha-community.org/</a><br>
git : <a href="http://git.koha-community.org/" target="_blank">http://git.koha-community.org/</a><br>
bugs : <a href="http://bugs.koha-community.org/" target="_blank">http://bugs.koha-community.org/</a><br>
</div></div></blockquote></div><br></div>