[support] how to make drupal admin section https only?
Gordon Heydon
gordon at heydon.com.au
Mon Jun 12 13:18:48 UTC 2006
Hi,
Mark Shropshire wrote:
> Gordon,
>
> That is very nice! It is great to have a way to do this via a module and
> not having to add code to settings.php.
With 4.6 you need to add some code to the settings.php, but 4.7 and
above you don't need to do anything.
Gordon.
> Thanks!
> Mark
>
> On Jun 12, 2006, at 8:44 AM, Gordon Heydon wrote:
>
>> Hi,
>>
>> Or you can take a look the securepages module which will transfer you
>> between http and https
>>
>> http://drupal.org/node/65632
>>
>> Gordon.
>>
>> Mark Shropshire wrote:
>>> I had the same questions a year or so ago. Most of the time folks
>>> told me to change the base url to https, but that of course forces
>>> ssl across the entire Drupal site which isn't very efficient if you
>>> don't need ssl on the entire site.
>>> A friend passed this code on to me and I am sorry to say I am not
>>> sure where it came from originally, but I have greatly benefited from
>>> it on my Drupal sites. Just replace the base url line in
>>> sites/default/settings.php with this code:
>>> *$base_url = 'http://localhost';*
>>> *
>>> *
>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') &&
>>> !isset($_SERVER['HTTPS'])) {*
>>> * header("Location: https://" . $_SERVER['HTTP_HOST'] .
>>> $_SERVER['REQUEST_URI']);*
>>> * exit();*
>>> *}*
>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
>>> * $protocol = "https";*
>>> *}*
>>> *else {*
>>> * $protocol = "http";*
>>> *}*
>>> *$base_url = $protocol . "://yoursite.domain.com";*
>>> *
>>> *
>>> Make sure to change the list line to your web site base url. This
>>> code will force a redirect to an https session for requests to the
>>> /user are in Drupal which covers logins. Make sure to turn off the
>>> login block as this code does not protect the block. The cool thing
>>> about this bit of code is that it can be extended to redirect other
>>> areas of Drupal to https as needed.
>>> I hope this helps.
>>> Thanks!
>>> Mark
>>> On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
>>>> Greetings,
>>>>
>>>> I've just realized that (at least with default settings)
>>>> the admin section of a drupal website is accessible
>>>> via normal http, that is, I guess also the password
>>>> when I login is transmitted in plain text.
>>>>
>>>> How do I make sure that all admin pages and those only,
>>>> are sent via https, and that username and passwords are
>>>> sent encrypted from the browser?
>>>>
>>>> TIA,
>>>> O.
>>>>
>>>> --
>>>> [ Drupal support list | http://lists.drupal.org/ ]
>>>
>> --[ Drupal support list | http://lists.drupal.org/ ]
>
> --[ Drupal support list | http://lists.drupal.org/ ]
>
> !DSPAM:1000,448d6853318676491211187!
>
More information about the support
mailing list