Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon5.gif   Conditional hiding of attributes in list view, posted by Yoshio Imai on Thu Sep 22 11:34:46 2005 
    icon4.gif   Re: Conditional hiding of attributes in list view, posted by Yoshio Imai on Thu Oct 13 11:40:32 2005 
       icon2.gif   Re: Conditional hiding of attributes in list view, posted by Stefan Ritt on Thu Oct 13 14:08:26 2005 
          icon2.gif   Re: Conditional hiding of attributes in list view, posted by Yoshio Imai on Thu Oct 13 14:47:06 2005 
    icon2.gif   Re: Conditional hiding of attributes in list view, posted by Stefan Ritt on Fri Oct 28 23:45:33 2005 
       icon14.gif   Re: Conditional hiding of attributes in list view, posted by Yoshio Imai on Mon Oct 31 01:36:52 2005 
Message ID: 1497     Entry time: Fri Oct 28 23:45:33 2005     In reply to: 1419     Reply to this: 1498
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Request  OS: Linux  ELOG Version: 2.6.0beta2 
Subject: Re: Conditional hiding of attributes in list view 

Yoshio Imai wrote:
I have also found one possible problem, maybe it's already solved in the
newest version: We have set up the elog under an stunnel, but the elog
server also responds to the original port (i.e. 80), displaying the logbook
selection page and from there even the login screen. Only after logging in
the elog server redirects the client browser to the https-page defined with
the URL-statement of the config file. The whole thing seems like an unwanted
behaviour, but could you change it so that it either doesn't respond on the
wrong URL at all, or at least redirects to the secured URL before presenting
the login window, so that we transfer the passwords encrypted?


I implemented that in revision 1540. On the logbook selection page, the links to the individual logbooks honor the "URL = ..." statement from the config file, and thus you get redirected via "https://...". More is unfortunately not possible. If elogd gets contacted the first time, it is impossible to figure out by elogd under which URL it got contacted, and therefore it cannot distinguish between secure and insecure connections. The only way is to switch off port 80 by a firewall and only allow "https://..." connections from outside.
ELOG V3.1.5-fe60aaf