[support] how to make drupal admin section https only?

Gordon Heydon gordon at heydon.com.au
Mon Jun 12 13:18:48 UTC 2006 

Hi,

Mark Shropshire wrote:
> Gordon,
> 
> That is very nice! It is great to have a way to do this via a module and 
> not having to add code to settings.php.

With 4.6 you need to add some code to the settings.php, but 4.7 and 
above you don't need to do anything.

Gordon.

> Thanks!
> Mark
> 
> On Jun 12, 2006, at 8:44 AM, Gordon Heydon wrote:
> 
>> Hi,
>>
>> Or you can take a look the securepages module which will transfer you 
>> between http and https
>>
>> http://drupal.org/node/65632
>>
>> Gordon.
>>
>> Mark Shropshire wrote:
>>> I had the same questions a year or so ago. Most of the time folks 
>>> told me to change the base url to https, but that of course forces 
>>> ssl across the entire Drupal site which isn't very efficient if you 
>>> don't need ssl on  the entire site.
>>> A friend passed this code on to me and I am sorry to say I am not 
>>> sure where it came from originally, but I have greatly benefited from 
>>> it on my Drupal sites. Just replace the base url line in 
>>> sites/default/settings.php with this code:
>>> *$base_url = 'http://localhost';*
>>> *
>>> *
>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && 
>>> !isset($_SERVER['HTTPS'])) {*
>>> *  header("Location: https://" . $_SERVER['HTTP_HOST'] . 
>>> $_SERVER['REQUEST_URI']);*
>>> *  exit();*
>>> *}*
>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
>>> *  $protocol = "https";*
>>> *}*
>>> *else {*
>>> *  $protocol = "http";*
>>> *}*
>>> *$base_url = $protocol . "://yoursite.domain.com";*
>>> *
>>> *
>>> Make sure to change the list line to your web site base url. This 
>>> code will force a redirect to an https session for requests to the 
>>> /user are in Drupal which covers logins. Make sure to turn off the 
>>> login block as this code does not protect the block. The cool thing 
>>> about this bit of code is that it can be extended to redirect other 
>>> areas of Drupal to https as needed.
>>> I hope this helps.
>>> Thanks!
>>> Mark
>>> On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
>>>> Greetings,
>>>>
>>>> I've just realized that (at least with default settings)
>>>> the admin section of a drupal website is accessible
>>>> via normal http, that is, I guess also the password
>>>> when I login is transmitted in plain text.
>>>>
>>>> How do I make sure that all admin pages and those only,
>>>> are sent via https, and that username and passwords are
>>>> sent encrypted from the browser?
>>>>
>>>> TIA,
>>>> O.
>>>>
>>>> -- 
>>>> [ Drupal support list | http://lists.drupal.org/ ]
>>>
>> --[ Drupal support list | http://lists.drupal.org/ ]
> 
> --[ Drupal support list | http://lists.drupal.org/ ]
> 
> !DSPAM:1000,448d6853318676491211187!
>

More information about the support mailing list