[support] Secure login

Mon Mar 18 21:58:08 UTC 2013

In 6.x secure_pages could implement the described behavior in an insecure method (ironically) unless you added the http://drupal.org/project/securepages_prevent_hijack module. The hijack prevention module is included in D7 but it's not enabled until you set $conf['https'] = TRUE in settings.php. Drupal 7 does prevent the old insecure behavior when attempting mixed-mode SSL as you noticed in your first comment, unless that setting is enabled.

_________________
Michael Prasuhn
http://mikeyp.net

On Mar 18, 2013, at 10:18 AM, Fxarte <fxarte at gmail.com> wrote:

> Hi Kamal,
> Thank you for sharing your solution. 
> Did you also try secure_pages (not sure about the current status of the module)?
> Long time ago (6.x) it achieve what you describe here
> 
> --
> Felix
> 
> On Mar 16, 2013, at 10:07 AM, Kamal Palei <palei.kamal at gmail.com> wrote:
> 
>> Resolved.
>> 
>> Need to add
>> 
>> $conf['https'] = TRUE;
>> 
>> in settings.php
>> 
>> 
>> On Sat, Mar 16, 2013 at 7:01 PM, Kamal Palei <palei.kamal at gmail.com> wrote:
>> Dear All
>> I am trying to achieve secure login for users in a D7 site.
>> 
>> I tried both the options, 
>> 
>> 1.secure login module 
>> 2. rewriting the http url to https url if "user" exists in url
>> 
>> In both the cases observed , user is logging in a secured way. 
>> 
>> Facing two issues.
>> 
>> 1. But why the other pages are coming as secure page (with https).
>> How can I disable it. I just want login page is secured, not any other pages as of now
>> 
>> 2. User logged in using https url.
>> Then access any page with http url, it asks for another login.
>> 
>> By doing login through https , can not we access http pages (as authenticated user).
>> 
>> Has anybody experienced this problem anytime.
>> 
>> 
>> Whats the work around here.
>> 
>> Thanks
>> kamal
>> 
>> 
>> -- 
>> [ Drupal support list | http://lists.drupal.org/ ]
> -- 
> [ Drupal support list | http://lists.drupal.org/ ]