[support] how to make drupal admin section https only?

Wed Jun 14 01:42:36 UTC 2006

Hi,

The securepages module does it a couple of ways.

The primary method is that when a request is made the system will check 
if the page requested needs to be encrypted, and if it does it will 
redirect them to the https.

If they are using Drupal 4.7 and above, it will also check the form, and 
see where the action needs to be posted to, and if this is needs to be 
an encrypted page it will rewrite the action so that it will directory 
post to the encrypted page.

for 4.8 (CVS) if a link is to a page that needs to be encrypted, then 
the page link will be changed to redirect them to the encrypted page.

I hope this helps.
Gordon.

Mark Shropshire wrote:
> Gordon can comment on his module, but anytime you want to be sure you 
> are encrypting from one page to another is to check the url in the <form 
> action=.... statement. If the url has https:// you are posting via ssl. 
> Even if the page you are currently on is http://, you are ok as long as 
> that page posts to https://. I hope that makes sense :)
> 
> I haven't loaded Gordon's module, but I am betting from its description 
> that it is similar to my solution. Once Drupal realizes that you are 
> requesting a page that needs https://, it redirects you immediately.
> 
> Thanks!
> Mark
> 
> On Jun 13, 2006, at 4:31 PM, dondi_2006 wrote:
> 
>>> Or you can take a look the securepages module which will transfer you
>>> between http and https
>>>
>>> http://drupal.org/node/65632
>>>
>>
>> Does this work also at the beginning (that is making sure that when 
>> you send username and password from the browser, to enter the admin 
>> section,
>> those username and password are encrypted)?
>>
>> O.
>>
>>
>>> Gordon.
>>>
>>> Mark Shropshire wrote:
>>>> I had the same questions a year or so ago. Most of the time folks told
>>>> me to change the base url to https, but that of course forces ssl 
>>>> across
>>>> the entire Drupal site which isn't very efficient if you don't need ssl
>>>> on  the entire site.
>>>>
>>>> A friend passed this code on to me and I am sorry to say I am not sure
>>>> where it came from originally, but I have greatly benefited from it on
>>>> my Drupal sites. Just replace the base url line in
>>>> sites/default/settings.php with this code:
>>>>
>>>> *$base_url = 'http://localhost';*
>>>> *
>>>> *
>>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') &&
>>>> !isset($_SERVER['HTTPS'])) {*
>>>> *  header("Location: https://" . $_SERVER['HTTP_HOST'] .
>>>> $_SERVER['REQUEST_URI']);*
>>>> *  exit();*
>>>> *}*
>>>> *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
>>>> *  $protocol = "https";*
>>>> *}*
>>>> *else {*
>>>> *  $protocol = "http";*
>>>> *}*
>>>> *$base_url = $protocol . "://yoursite.domain.com";*
>>>> *
>>>> *
>>>> Make sure to change the list line to your web site base url. This code
>>>> will force a redirect to an https session for requests to the /user are
>>>> in Drupal which covers logins. Make sure to turn off the login block as
>>>> this code does not protect the block. The cool thing about this bit of
>>>> code is that it can be extended to redirect other areas of Drupal to
>>>> https as needed.
>>>>
>>>> I hope this helps.
>>>>
>>>> Thanks!
>>>> Mark
>>>>
>>>> On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
>>>>
>>>>> Greetings,
>>>>>
>>>>> I've just realized that (at least with default settings)
>>>>> the admin section of a drupal website is accessible
>>>>> via normal http, that is, I guess also the password
>>>>> when I login is transmitted in plain text.
>>>>>
>>>>> How do I make sure that all admin pages and those only,
>>>>> are sent via https, and that username and passwords are
>>>>> sent encrypted from the browser?
>>>>>
>>>>> TIA,
>>>>> O.
>>>>>
>>>>> -- 
>>>>> [ Drupal support list | http://lists.drupal.org/ ]
>>>>
>>>>
>>>>
>>> -- 
>>> [ Drupal support list | http://lists.drupal.org/ ]
>>>
>>
>> -- 
>> [ Drupal support list | http://lists.drupal.org/ ]
> 
> --[ Drupal support list | http://lists.drupal.org/ ]
> 
> !DSPAM:1000,448f2482272578992556831!
> 