[support] SSL Form Posts in Drupal are sent in the clear ...

Joseph Yamada joe.yamada at gmail.com
Mon May 18 13:47:25 UTC 2009 

Thank you for your replies Pierre and Michael.  This is becoming a
good discussion for all.

For those who are tuning in.  I have configured the site to use ssl,
but the posts are being sent in plain.  Does someone want to share a
success story?

In reply to Pierre:
The posts are always sent in the clear, not intermitently but I will
look at the cache.

I am using the domain access module so I haven't set the base-url in
settings.php.  So I using relative urls always and not relative urls,
at least that's what I think is happening.

Pierre have you configured their drupal with ssl just within apache
configs using mod ssl and mod rewrite?

In reply to Michael:
I activated the secure pages module (again leaving the base url blank,
based on reading the module's code) this should rewrite the url with
https in front for paths in the secure module lists.  But after all
this, posts were still sent in the clear.

Michael if securepages is working for you, perhaps I did something in
apache configs to conflict with this module?   Like could this be
something to do with mod_rewrite or apache configs?  I am rewiting my
urls for clean-urls.




On 5/16/09, Michael Prasuhn <mike at mikeyp.net> wrote:
> The problem comes when Drupal can't tell which is the 'base_url' that
> should be used for form_actions and URLs.
>
> Check out the secure_pages module, it handles the switching and sets
> the necessary variables for various pages of the site. It also will
> redirect to secure or non-secure if necessary for your site.
>
> -Mike
>
> On May 16, 2009, at 2:39 PM, Joseph Yamada wrote:
>
>> ... this is bad, I won't be able to deploy to production until I fix
>> this.
>>
>> I've configured mod_ssl with my apache to require my drupal site to
>> run in SSL.
>>
>> And then I changed my login form to post back in https all the time
>> $form = array(
>>     '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'],
>> drupal_get_destination(), null, true)),
>>   );
>>
>> So my logins are encrypted.
>>
>> So I'm on the site and https is encrypting the GETs, but then I
>> change a form, say my profile page, then I post anything back to the
>> server and my browser says I am sending text in the clear, non-
>> encrypted.
>>
>> Does this mean I need to rewrite the form posts for every form post
>> page ?
>>
>> Has anyone seen this, please assist a fellow Drupal user,
>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>
> __________________
> Michael Prasuhn
> 503.488.5433 office
> 714.356.0168 cell
> 503.661.7574 home
> mike at mikeyp.net
> http://mikeyp.net
>
>
>
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>

-- 
Sent from my mobile device

More information about the support mailing list