On Wed, 2005-11-09 at 10:29 -0500, Khalid B wrote:
Ber I agree with you that Javascript is not a solution. It gives a false sense of security and exposes the stored md5 hash of the password.
I also agree with you that SSL is the ultimate solution if one really needs security.
However, I think that SSL in Drupal is an All Or None approach. Either the entire site is SSL, or not SSL. There is no way at present where only the login is https, and the rest is http.
If this is addressed, then the whole argument for these half baked solutions goes away: need security? Get SSL for login. Period.
Well here you go... its a bit of a kludge, but works. patched url() and l() to have an ssl flag... Minor touch ups to user.module. Sry this is against 4.6.3... I haven't started playing with the formsapi, or head yet... .darrel.