Thanks everybody for providing such wonderful suggestions on security aspect. Summary of various suggestions provided by Drupal experts -
1. SSL can be used for login page 2. Use secure login and secure pages modules (mixed https-http mode) 3. Use Securepages Prevent Hijackmodule. 4. Use 443 session module 5. Use HTTPS for a session after login 6. Just Make All Drupal Pages SSL 7. Configure web server to use SSL for all pages
In fact, http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-poss... very much usefull as it presents bit insight to code and experience of users who tried to implement security for their sites.
Now I will need to look at security for my site from a different perspective. As of now I hope my security design should follow below approach.
1. I should have two different roles say "Normal Users" and "Special Users". 2. I will allow "Normal Users" to create and manage their account and by using secure login and secure pages I will provide security to some extent. 3. For "Special Users", each and every page they access need to be secure.
So I am looking at role based security. Has anybody followed this approach, if so can you guide how to acheive it. Best Regards Austin
On Mon, Jan 10, 2011 at 4:31 AM, Leonard den Ottolander.nl < drupal@den.ottolander.nl> wrote:
Hello Austin,
On Sun, 2011-01-09 at 14:06 +0530, Austin Einter wrote:
By checking few packets content I could figure out the user name and password in plain text.
This is an issue with *any* web application that connects over http. If this is a concern you should set up your webserver to use SSL (https) for such connections.
That said, personally I feel users choosing poor passwords is a much greater concern than someone being able to sniff those passwords on the internet. For the average bad guy sniffing traffic on the internet requires much more effort than running a script that brute forces (weak) passwords.
You might want to look into the User Protect module. You can use this module to block users from changing their passwords.
Regards, Leonard.
-- mount -t life -o ro /dev/dna /genetic/research
-- [ Drupal support list | http://lists.drupal.org/ ]