[support] Security and Drupal
Austin Einter
austin.einter at gmail.com
Mon Jan 10 01:54:54 UTC 2011
Thanks everybody for providing such wonderful suggestions on security
aspect. Summary of various suggestions provided by Drupal experts -
1. SSL can be used for login page
2. Use secure login and secure pages modules (mixed https-http mode)
3. Use Securepages Prevent Hijackmodule.
4. Use 443 session module
5. Use HTTPS for a session after login
6. Just Make All Drupal Pages SSL
7. Configure web server to use SSL for all pages
In fact,
http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-httpsis
very much usefull as it presents bit insight to code and experience of
users who tried to implement security for their sites.
Now I will need to look at security for my site from a different
perspective. As of now I hope my security design should follow below
approach.
1. I should have two different roles say "Normal Users" and "Special Users".
2. I will allow "Normal Users" to create and manage their account and by
using secure login and secure pages I will provide security to some extent.
3. For "Special Users", each and every page they access need to be secure.
So I am looking at role based security. Has anybody followed this approach,
if so can you guide how to acheive it.
Best Regards
Austin
On Mon, Jan 10, 2011 at 4:31 AM, Leonard den Ottolander.nl <
drupal at den.ottolander.nl> wrote:
> Hello Austin,
>
> On Sun, 2011-01-09 at 14:06 +0530, Austin Einter wrote:
> > By checking few packets content I could figure out the user name and
> > password in plain text.
>
> This is an issue with *any* web application that connects over http. If
> this is a concern you should set up your webserver to use SSL (https)
> for such connections.
>
> That said, personally I feel users choosing poor passwords is a much
> greater concern than someone being able to sniff those passwords on the
> internet. For the average bad guy sniffing traffic on the internet
> requires much more effort than running a script that brute forces (weak)
> passwords.
>
> You might want to look into the User Protect module. You can use this
> module to block users from changing their passwords.
>
> Regards,
> Leonard.
>
> --
> mount -t life -o ro /dev/dna /genetic/research
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20110110/a6ce14ae/attachment.html
More information about the support
mailing list