Submitted by Anonymous (not verified) on
Section
1.1.1
Top Level
Identification and Authentication
Sub Level
1.1 Performing Authentication
General

Login pages should be served using SSL in order to protect against phishing attacks. SSL guarantees to the user that they are connected to the site in question.

Coldfusion

Put the following code in your application.cfc file:

<cfif trim(cgi.https) eq "off">
<cflocation url="https://#cgi.server_name##cgi.script_name#" addtoken="no">
</cfif>
Django

Sometimes user authentication (and thus the login page) is already handled for you when on a server configured to use the university's authentication portal page (e.g. UT Direct or servers using the mod_eid Apache module).

Django's request object (HttpRequest) has a method named is_secure() that will tell you if the request came over SSL or not. If request.is_secure() is False, you could redirect to the same location, but using https. You must take care with is_secure(), though. For example, if there is a proxy or load balancer in front of your web server(s), it is possible that the proxy is handling requests over SSL connections, but then forwarding those requests over non-SSL connections to the server running Django. In this case,is_secure() would evaluate to False, even though the request did come in over SSL.

If you have access to your web server's configuration, you could put the https check and redirect logic in the server's config instead of in your Django code.

Java

If you are building a web application, force the use of HTTPS for a specified resource using a <security-constraint> section in the web.xml file.

<security-constraint>
....
<user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Caveat: Don't do this if SSL is terminated in front of your server by a device such as a load balancer, SSL accelerator, or application firewall.
Natural Webagent

If you are building a web application, force the use of HTTPS for a specified resource using a section in the web.xml file.

<security-constraint>
....
<user-data-constraint>
 <transport-guarantee>CONFIDENTIAL
</user-data-constraint>
</security-constraint>
Caveat: Don't do this if SSL is terminated in front of your server by a device such as a load balancer, SSL accelerator, or application firewall.
PHP
If possible, use a centrally managed authentication option. In our current environment, there are modules available for Apache and IIS that leverage the centralized EID authentication system. Consider using one of these options, rather than recreating a new authentication system.