[support] how to make drupal admin section https only?

Mark Shropshire mdshrops at shropnet.com
Mon Jun 12 12:53:16 UTC 2006 

Gordon,

That is very nice! It is great to have a way to do this via a module  
and not having to add code to settings.php.

Thanks!
Mark

On Jun 12, 2006, at 8:44 AM, Gordon Heydon wrote:

> Hi,
>
> Or you can take a look the securepages module which will transfer  
> you between http and https
>
> http://drupal.org/node/65632
>
> Gordon.
>
> Mark Shropshire wrote:
>> I had the same questions a year or so ago. Most of the time folks  
>> told me to change the base url to https, but that of course forces  
>> ssl across the entire Drupal site which isn't very efficient if  
>> you don't need ssl on  the entire site.
>> A friend passed this code on to me and I am sorry to say I am not  
>> sure where it came from originally, but I have greatly benefited  
>> from it on my Drupal sites. Just replace the base url line in  
>> sites/default/settings.php with this code:
>> *$base_url = 'http://localhost';*
>> *
>> *
>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && ! 
>> isset($_SERVER['HTTPS'])) {*
>> *  header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER 
>> ['REQUEST_URI']);*
>> *  exit();*
>> *}*
>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
>> *  $protocol = "https";*
>> *}*
>> *else {*
>> *  $protocol = "http";*
>> *}*
>> *$base_url = $protocol . "://yoursite.domain.com";*
>> *
>> *
>> Make sure to change the list line to your web site base url. This  
>> code will force a redirect to an https session for requests to  
>> the /user are in Drupal which covers logins. Make sure to turn off  
>> the login block as this code does not protect the block. The cool  
>> thing about this bit of code is that it can be extended to  
>> redirect other areas of Drupal to https as needed.
>> I hope this helps.
>> Thanks!
>> Mark
>> On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
>>> Greetings,
>>>
>>> I've just realized that (at least with default settings)
>>> the admin section of a drupal website is accessible
>>> via normal http, that is, I guess also the password
>>> when I login is transmitted in plain text.
>>>
>>> How do I make sure that all admin pages and those only,
>>> are sent via https, and that username and passwords are
>>> sent encrypted from the browser?
>>>
>>> TIA,
>>> O.
>>>
>>> --
>>> [ Drupal support list | http://lists.drupal.org/ ]
>> !DSPAM:1000,448d5efd315934455618576!
> -- 
> [ Drupal support list | http://lists.drupal.org/ ]

More information about the support mailing list