Because it's a Secure Web Information System, and it's full of holes.
2. How can I tell what version of CHEESE I am running?
If you are running a cgi script, you can look at the contents of the environment variable "CHEESE". If you have access to the source code, you can look at the file common.h, for the constant 'VERSION'. You can also look at the CHEESE documentation, which should tell you (under the Buglist) what version you are running.
Use lookup to find your 'kerberos handle'. Now, log in to cunix, type 'kinit', and use the kerberos handle and your e-mail acct password. If it accepts the handle and password, try logging in to CHEESE again. If not, there is a problem with your entry in our kerberos database. Please contact the AcIS Help Desk for more information.
In a pre-beta-test version, global CHEESE lookups used to fail with passwords > 8 characters. But that problems has since been fixed. You can use a password of any length.
Remove the user database if it exists, use chdbinit to create an empty one, and change the permissions on it so that the Web server can write to it. You might as well create an empty blacklist database at the same time and make sure that the Web server can write to it as well. Then try logging in again.
SSL, or Secure Socket Layer, is a secure protocol established between the web server and a client. CGI scripts such as those that comprise CHEESE ride on top of this protocol. Neither interferes with the other, with one exception: nph- cgi scripts are not supported under SSL, and therefore nph- scripts which would ordinarily run with CHEESE will not run with CHEESE and SSL.
7. Does CHEESE support both POST and GET forms? How about ISINDEX?
POST and GET are fully supported types. ISINDEX works as long as the client follows rules about encoding special characters. You need to have a valid ticket before accessing the ISINDEX script; if you need to log in between the form and the script, the script will fail, due to httpreferrer problems.
8. Does Imagemap run with CHEESE?
The cgi script works, but not straight out of the box. You need to add some
modifications. You can look at the
Columbia modified version to see how it works.
The Apache server imagemap module does not work with CHEESE.
9. I have a cgi script I want to convert to run with CHEESE. What do I have to do?
If it writes urls or serves documents that contain urls which point to documents in the CHEESE area, you need to edit those urls on the fly so that they contain a call to the CHEESE package and the user's ticket. A package of routines that does this for perl scripts is provided with CHEESE; see the CHEESE documentation for details.
You should run it at least once a day with the argument 'all' to get rid of all tickets, so that the next day we start with a fresh batch. 4 a.m. or so is a good time for that.
In addition, if you have a lot of CHEESE activity, you can run it every 1-2 hours, with a numeric argument: if the document access policy with the longest valid ticket length is a half hour, expire with an argument of half an hour. If it's 8 hours, use 8 hours, and so on.
11. How long does my ticket stay in the ticket database, after I quit the web browser?
Your ticket stays in the ticket db until you or the administrator removes it. Your ticket may no longer be valid for any documents in the secure area, even though it is in the database; this depends upon the document access policies established by the CHEESE administrator.
An html form, cheeseadmin.html, and a cgi script, chdbfuncs-interface.pl, have been provided for this purpose. When you set up CHEESE, you should have put these in a CHEESE area restricted only to CHEESE administrators. See the CHEESE documentation for details.
At this point, you have to clear your entry from the blacklist database by hand. Use chdblist to list the contents of the database; look for the urls with your user name in them. You can use chdbdeluser to clear out all entries with your name in them. These programs are both run from the command line; see the CHEESE documentation for details.
Yes, if they are logged in to the same machine (with the same IP address) as you, and if the ticket is still valid for the document they request. Otherwise they will be asked to log in.
14. Can I have more than one CHEESE ticket at the same time?
Yes. Every time you log in to CHEESE successfully from a url without a ticket in it, you are given a new ticket. Your other tickets may still be valid for some documents in the secure area. 15. How can I take my tickets out of the database when I am done using some CHEESE-d documents, so no one else can try to use my tickets? Is there a logout function?
Yes, there is a logout function. You should have access to a form that permits you to get rid of your current ticket or to get rid of all tickets that have your name on them. This form is typically called chlogout.html, and you should ask your CHEESE administrator where it is located.
Once you enter CHEESE, all urls in html documents that you view are edited on the fly with a session key and an invocation to CHEESE itself inserted into the url. You can see this by viewing the document source. If the url is a non-http url, or if it is a url that points to another web server, it is left unchanged. However, if it is a url, even an absolute url, that refers to a document under the same web server, the url will be modified.
In order to exit the secure document area there are three things you can do: leave a link on the login form; run CHEESE under a server that sits on a different port; or use 'NOCHEESE' in your url. If you insert 'NOCHEESE' into your url just after the 'http://server/' reference, e.g. 'http://www/NOCHEESE/~ariel/', that url will not be parsed by CHEESE.
If you are using a relative url, just put NOCHEESE right at the beginning, or /NOCHEESE in front if your relative url begins with a slash.
At Columbia, CHEESE runs under Apache-SSL server which is invoked as https so that we can mix and match secure and insecure links freely, by using either https or http in the url; for links served by our secure server but without CHEESE, we use the NOCHEESE keyword.
Yes, if your web administrator sets up a directory and an instance of CHEESE for you. Note that all of the regular logging information still goes to the main web server log files, but additional logging just for your database goes to your private log files.
If your CHEESE administrator enabled this feature, then you should be able to set up a directory with Web documents in it that are accessible only under CHEESE. You will need to set up a configuration directory also which contains your local CHEESE configuration file; here, you specify what sort of password and affiliations lookups you want. You will need to find out from your CHEESE administrator what the names of these files and directories should be. See the CHEESE documentation for more details.