[support] SSL Form Posts in Drupal are sent in the clear ...
Pierre Rineau
pierre.rineau at makina-corpus.com
Sat May 16 23:15:16 UTC 2009
May be you should just not use absolute URLs, with relative URLs the
user's browser will construct the http:// or https:// itself, this can
resolve a lot of problems (servers behind proxies, multiple frontend,
cached URLs, etc..).
Also check you did not override the $base_url global in your
settings.php.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
> ... this is bad, I won't be able to deploy to production until I fix
> this.
>
> I've configured mod_ssl with my apache to require my drupal site to
> run in SSL.
>
> And then I changed my login form to post back in https all the time
> $form = array(
> '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'],
> drupal_get_destination(), null, true)),
> );
>
> So my logins are encrypted.
>
> So I'm on the site and https is encrypting the GETs, but then I change
> a form, say my profile page, then I post anything back to the server
> and my browser says I am sending text in the clear, non-encrypted.
>
> Does this mean I need to rewrite the form posts for every form post
> page ?
>
> Has anyone seen this, please assist a fellow Drupal user,
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
More information about the support
mailing list