<div> </div>
<div>Thanks everybody for providing such wonderful suggestions on security aspect. Summary of various suggestions provided by Drupal experts - </div>
<div> </div>
<div>1. SSL can be used for login page<br>2. Use secure login and secure pages modules (mixed https-http mode) <br>3. Use Securepages Prevent Hijackmodule.<br>4. Use 443 session module<br>5. Use HTTPS for a session after login<br>
6. Just Make All Drupal Pages SSL</div>
<div>7. Configure web server to use SSL for all pages</div>
<p>In fact, <a href="http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-https">http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-https</a> is very much usefull as it presents bit insight to code and experience of users who tried to implement security for their sites.</p>
<p>Now I will need to look at security for my site from a different perspective. As of now I hope my security design should follow below approach.</p>
<p>1. I should have two different roles say "Normal Users" and "Special Users".<br>2. I will allow "Normal Users" to create and manage their account and by using secure login and secure pages I will provide security to some extent.<br>
3. For "Special Users", each and every page they access need to be secure.</p>
<p>So I am looking at role based security. Has anybody followed this approach, if so can you guide how to acheive it.</p>
<div>Best Regards<br>Austin</div>
<div><br> </div>
<div class="gmail_quote">On Mon, Jan 10, 2011 at 4:31 AM, Leonard den Ottolander.nl <span dir="ltr"><<a href="mailto:drupal@den.ottolander.nl">drupal@den.ottolander.nl</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hello Austin,<br>
<div class="im"><br>On Sun, 2011-01-09 at 14:06 +0530, Austin Einter wrote:<br>> By checking few packets content I could figure out the user name and<br>> password in plain text.<br><br></div>This is an issue with *any* web application that connects over http. If<br>
this is a concern you should set up your webserver to use SSL (https)<br>for such connections.<br><br>That said, personally I feel users choosing poor passwords is a much<br>greater concern than someone being able to sniff those passwords on the<br>
internet. For the average bad guy sniffing traffic on the internet<br>requires much more effort than running a script that brute forces (weak)<br>passwords.<br><br>You might want to look into the User Protect module. You can use this<br>
module to block users from changing their passwords.<br><br>Regards,<br>Leonard.<br><font color="#888888"><br>--<br>mount -t life -o ro /dev/dna /genetic/research<br></font>
<div>
<div></div>
<div class="h5"><br><br>--<br>[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></div></div></blockquote></div><br>