[support] SSL Form Posts in Drupal are sent in the clear ...
Metzler, David
metzlerd at evergreen.edu
Wed May 20 21:04:03 UTC 2009
On my ssl sites I set $base_url in settings.php to be the
https://example.com form, which seems to make sure that all my pages are
https, even if someone lands on http first, they get redirected after
the first click.
You might consider also looking at the secure_pages module to make sure
specific pages are always secured.
Dave
-----Original Message-----
From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On
Behalf Of Pierre Rineau
Sent: Saturday, May 16, 2009 4:15 PM
To: support at drupal.org
Subject: Re: [support] SSL Form Posts in Drupal are sent in the clear
...
May be you should just not use absolute URLs, with relative URLs the
user's browser will construct the http:// or https:// itself, this can
resolve a lot of problems (servers behind proxies, multiple frontend,
cached URLs, etc..).
Also check you did not override the $base_url global in your
settings.php.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
> ... this is bad, I won't be able to deploy to production until I fix
> this.
>
> I've configured mod_ssl with my apache to require my drupal site to
> run in SSL.
>
> And then I changed my login form to post back in https all the time
> $form = array(
> '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'],
> drupal_get_destination(), null, true)),
> );
>
> So my logins are encrypted.
>
> So I'm on the site and https is encrypting the GETs, but then I change
> a form, say my profile page, then I post anything back to the server
> and my browser says I am sending text in the clear, non-encrypted.
>
> Does this mean I need to rewrite the form posts for every form post
> page ?
>
> Has anyone seen this, please assist a fellow Drupal user,
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
More information about the support
mailing list