[support] SSL Form Posts in Drupal are sent in the clear ...
Pierre Rineau
pierre.rineau at makina-corpus.com
Sat May 16 23:13:14 UTC 2009
May be a cache problem.
If you use SSL and non-SSL on the same Drupal site, generated cache (IE.
nodes texts and blocks content, even full pages in aggressive caching
mode) will randomly carry https:// or http:// URLs.
In fact, if a use browse the site with https://, the url() function will
put https:// absolute URL for files (and whenever the coder asked the
url() function to do an absolute URL) in rendered content, then save it
in cache.
The result is, when a user will visit the site with http:// (non-SSL
mode), content got back from cache will display https:// because of this
wrong cache. The opposite operation also works, the first user to hit
the content (https or not) will generate the cache.
In the company I work for, we encounter this problem a lot, we finally
decide to use multi site for SSL and non-SSL mixed sites, with a
different domain name (IE mydomain.tld and secure.mydomain.tld), both
sites using the same database with the same prefix, except for cache
tables.
With this method, a user hitting the site with SSL mode will write cache
for SSL browsers only and vice-versa.
You might try using no cache at all, or emptying your cache at each
request to be sure this is what's messing it up.
Pierre.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
> ... this is bad, I won't be able to deploy to production until I fix
> this.
>
> I've configured mod_ssl with my apache to require my drupal site to
> run in SSL.
>
> And then I changed my login form to post back in https all the time
> $form = array(
> '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'],
> drupal_get_destination(), null, true)),
> );
>
> So my logins are encrypted.
>
> So I'm on the site and https is encrypting the GETs, but then I change
> a form, say my profile page, then I post anything back to the server
> and my browser says I am sending text in the clear, non-encrypted.
>
> Does this mean I need to rewrite the form posts for every form post
> page ?
>
> Has anyone seen this, please assist a fellow Drupal user,
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
More information about the support
mailing list