[support] SSL Form Posts in Drupal are sent in the clear ...
Michael Prasuhn
mike at mikeyp.net
Sun May 17 01:08:23 UTC 2009
The problem comes when Drupal can't tell which is the 'base_url' that
should be used for form_actions and URLs.
Check out the secure_pages module, it handles the switching and sets
the necessary variables for various pages of the site. It also will
redirect to secure or non-secure if necessary for your site.
-Mike
On May 16, 2009, at 2:39 PM, Joseph Yamada wrote:
> ... this is bad, I won't be able to deploy to production until I fix
> this.
>
> I've configured mod_ssl with my apache to require my drupal site to
> run in SSL.
>
> And then I changed my login form to post back in https all the time
> $form = array(
> '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'],
> drupal_get_destination(), null, true)),
> );
>
> So my logins are encrypted.
>
> So I'm on the site and https is encrypting the GETs, but then I
> change a form, say my profile page, then I post anything back to the
> server and my browser says I am sending text in the clear, non-
> encrypted.
>
> Does this mean I need to rewrite the form posts for every form post
> page ?
>
> Has anyone seen this, please assist a fellow Drupal user,
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
__________________
Michael Prasuhn
503.488.5433 office
714.356.0168 cell
503.661.7574 home
mike at mikeyp.net
http://mikeyp.net
More information about the support
mailing list