[support] how to make drupal admin section https only?

Mark Shropshire mdshrops at shropnet.com
Tue Jun 13 20:44:28 UTC 2006 

Gordon can comment on his module, but anytime you want to be sure you  
are encrypting from one page to another is to check the url in the  
<form action=.... statement. If the url has https:// you are posting  
via ssl. Even if the page you are currently on is http://, you are ok  
as long as that page posts to https://. I hope that makes sense :)

I haven't loaded Gordon's module, but I am betting from its  
description that it is similar to my solution. Once Drupal realizes  
that you are requesting a page that needs https://, it redirects you  
immediately.

Thanks!
Mark

On Jun 13, 2006, at 4:31 PM, dondi_2006 wrote:

>> Or you can take a look the securepages module which will transfer you
>> between http and https
>>
>> http://drupal.org/node/65632
>>
>
> Does this work also at the beginning (that is making sure that when  
> you send username and password from the browser, to enter the admin  
> section,
> those username and password are encrypted)?
>
> O.
>
>
>> Gordon.
>>
>> Mark Shropshire wrote:
>>> I had the same questions a year or so ago. Most of the time folks  
>>> told
>>> me to change the base url to https, but that of course forces ssl  
>>> across
>>> the entire Drupal site which isn't very efficient if you don't  
>>> need ssl
>>> on  the entire site.
>>>
>>> A friend passed this code on to me and I am sorry to say I am not  
>>> sure
>>> where it came from originally, but I have greatly benefited from  
>>> it on
>>> my Drupal sites. Just replace the base url line in
>>> sites/default/settings.php with this code:
>>>
>>> *$base_url = 'http://localhost';*
>>> *
>>> *
>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') &&
>>> !isset($_SERVER['HTTPS'])) {*
>>> *  header("Location: https://" . $_SERVER['HTTP_HOST'] .
>>> $_SERVER['REQUEST_URI']);*
>>> *  exit();*
>>> *}*
>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
>>> *  $protocol = "https";*
>>> *}*
>>> *else {*
>>> *  $protocol = "http";*
>>> *}*
>>> *$base_url = $protocol . "://yoursite.domain.com";*
>>> *
>>> *
>>> Make sure to change the list line to your web site base url. This  
>>> code
>>> will force a redirect to an https session for requests to the / 
>>> user are
>>> in Drupal which covers logins. Make sure to turn off the login  
>>> block as
>>> this code does not protect the block. The cool thing about this  
>>> bit of
>>> code is that it can be extended to redirect other areas of Drupal to
>>> https as needed.
>>>
>>> I hope this helps.
>>>
>>> Thanks!
>>> Mark
>>>
>>> On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
>>>
>>>> Greetings,
>>>>
>>>> I've just realized that (at least with default settings)
>>>> the admin section of a drupal website is accessible
>>>> via normal http, that is, I guess also the password
>>>> when I login is transmitted in plain text.
>>>>
>>>> How do I make sure that all admin pages and those only,
>>>> are sent via https, and that username and passwords are
>>>> sent encrypted from the browser?
>>>>
>>>> TIA,
>>>> O.
>>>>
>>>> --
>>>> [ Drupal support list | http://lists.drupal.org/ ]
>>>
>>> !DSPAM:1000,448d5efd315934455618576!
>>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]

More information about the support mailing list