In the WebSEAL world, I find that the following get my vote over and over again.
Frame Busting
Isn't it horrible when a WebSEAL login form appears in a frame? Aren't frames horrible in the first place? Anyway, I like the brutal approach in destroying those frames by dropping this piece of code into the login page:
if (self.location != top.location) {
top.location = self.location;
}
And, if you want to swap from http to https?
if (window.location.href.indexOf("https") == -1) {
var uri = window.location.href.substring(4);
window.location = "https" + uri;
}
The Cookie Crumbler
This is another favourite of mine. Upon logout, let's be brutal in trashing all cookies for the domain. Of course, the key word here is brutal. You may not want to do this. In fact, there are any number of reasons why this might be an incredibly bad idea for your environment. But if this is the case, then the code can be tailored to leave those "special" cookies intact. The rest? Crumble away.
var warningString = "WARNING: To maintain your login session, make sure that your browser is configured to accept Cookies.";
document.cookie = 'acceptsCookies=yes';
if(document.cookie == '') {
document.write(warningString);
} else {
// Cookie Crumbler
var strSeparator1 = " ";
var strSeparator2 = "=";
var strCookie = document.cookie;
var strCookieName = null;
var intCount;
var intStart = 0;
var intEnd = 0;
for (intCount = 1; intCount < strCookie.length; intCount++) {
if (strCookie.charAt(intCount) == strSeparator2) {
intEnd = intCount;
strCookieName = strCookie.substring(intStart, intEnd);
document.cookie = strCookieName + "=yes; expire=Fri, 13-Apr-1970 00:00:00 GMT";
strCookieName = null;
}
if (strCookie.charAt(intCount) == strSeparator1) {
intStart = intCount + 1;
}
}
}
Cache Handling
Amazingly, the vanilla/default pages for login and logout pages will get cached by browsers which can cause confusion to users. Am I authenticated? Am I not? Maybe it would be best to instruct the browser to not cache these pages (and probably others). So we can drop the following meta-tags into our pages:
content="No-Cache" http-equiv="Pragma"
content="No-Store" http-equiv="Cache-Control"
content="No-Cache" http-equiv="Cache-Control"
http-equiv="Cache-Control", "private"
content="0" http-equiv="Expires"
Why so many statements? Well, as we all know, not all browsers behave in accordance with agreed standards. Enough said?
Conclusion
This isn't an exhaustive list of must-do tasks for a vanilla WebSEAL installation and it certainly isn't even accurate for all installations. But they are certainly a good starting point for putting good navigational structure around your WebSEAL protected environment.
No comments:
Post a Comment