<p>Hi, you could try Secure Login module. Disable the Secure Login setting that redirects https logins back to http. In apache, configure the https vhost to enable the PHP session.cookie_secure setting. Now all logins will be via https and the authenticated session cookie will only be sent from/to the https site (anonymous sessions on http will still be possible as long as you only enable session.cookie_secure on the https site).</p>
<p>--mark B.</p>
<div class="gmail_quote">On Jan 9, 2011 12:37 AM, "Austin Einter" <<a href="mailto:austin.einter@gmail.com">austin.einter@gmail.com</a>> wrote:<br type="attribution">> Hi All<br>> I just made a site using Drupal6.2 and in front page I have kept "user<br>
> login" block. I hosted this site using some third party web server.<br>> <br>> I tried to login to new site from my PC using my user name and password and<br>> prior to that I was capturing the packets those were being send/received by<br>
> my PC.<br>> By checking few packets content I could figure out the user name and<br>> password in plain text.<br>> <br>> So it looks others can see these packets and get the administrative user<br>> name and corresponding password and hence can modify site content and it is<br>
> really dangerous.<br>> I assume people must have thought of it and there should be some way to make<br>> sure username and password should be encrypted by default hence avoidimg<br>> third party role in site content modification.<br>
> <br>> Please guide in this regard and provide some pointers how can I make<br>> username/password secure while logging in sites based on Drupal.<br>> <br>> Regards<br>> Austin<br></div>