[support] how to make drupal admin section https only?

dondi_2006 dondi_2006 at libero.it
Tue Jun 13 20:31:22 UTC 2006 

> Or you can take a look the securepages module which will transfer you 
> between http and https
> 
> http://drupal.org/node/65632
> 

Does this work also at the beginning (that is making sure that when you send username and password from the browser, to enter the admin section,
those username and password are encrypted)?

O.


> Gordon.
> 
> Mark Shropshire wrote:
> > I had the same questions a year or so ago. Most of the time folks told 
> > me to change the base url to https, but that of course forces ssl across 
> > the entire Drupal site which isn't very efficient if you don't need ssl 
> > on  the entire site.
> > 
> > A friend passed this code on to me and I am sorry to say I am not sure 
> > where it came from originally, but I have greatly benefited from it on 
> > my Drupal sites. Just replace the base url line in 
> > sites/default/settings.php with this code:
> > 
> > *$base_url = 'http://localhost';*
> > *
> > *
> > *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && 
> > !isset($_SERVER['HTTPS'])) {*
> > *  header("Location: https://" . $_SERVER['HTTP_HOST'] . 
> > $_SERVER['REQUEST_URI']);*
> > *  exit();*
> > *}*
> > *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
> > *  $protocol = "https";*
> > *}*
> > *else {*
> > *  $protocol = "http";*
> > *}*
> > *$base_url = $protocol . "://yoursite.domain.com";*
> > *
> > *
> > Make sure to change the list line to your web site base url. This code 
> > will force a redirect to an https session for requests to the /user are 
> > in Drupal which covers logins. Make sure to turn off the login block as 
> > this code does not protect the block. The cool thing about this bit of 
> > code is that it can be extended to redirect other areas of Drupal to 
> > https as needed.
> > 
> > I hope this helps.
> > 
> > Thanks!
> > Mark
> > 
> > On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
> > 
> >> Greetings,
> >>
> >> I've just realized that (at least with default settings)
> >> the admin section of a drupal website is accessible
> >> via normal http, that is, I guess also the password
> >> when I login is transmitted in plain text.
> >>
> >> How do I make sure that all admin pages and those only,
> >> are sent via https, and that username and passwords are
> >> sent encrypted from the browser?
> >>
> >> TIA,
> >> O.
> >>
> >> --
> >> [ Drupal support list | http://lists.drupal.org/ ]
> > 
> > !DSPAM:1000,448d5efd315934455618576!
> > 
> -- 
> [ Drupal support list | http://lists.drupal.org/ ]
>

More information about the support mailing list