In fact, http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-https is very much usefull as it presents bit insight to code and experience of users who tried to implement security for their sites.
Now I will need to look at security for my site from a different perspective. As of now I hope my security design should follow below approach.
1. I should have two different roles say "Normal Users" and "Special Users".
2. I will allow "Normal Users" to create and manage their account and by using secure login and secure pages I will provide security to some extent.
3. For "Special Users", each and every page they access need to be secure.
So I am looking at role based security. Has anybody followed this approach, if so can you guide how to acheive it.
Hello Austin,
This is an issue with *any* web application that connects over http. If
On Sun, 2011-01-09 at 14:06 +0530, Austin Einter wrote:
> By checking few packets content I could figure out the user name and
> password in plain text.
this is a concern you should set up your webserver to use SSL (https)
for such connections.
That said, personally I feel users choosing poor passwords is a much
greater concern than someone being able to sniff those passwords on the
internet. For the average bad guy sniffing traffic on the internet
requires much more effort than running a script that brute forces (weak)
passwords.
You might want to look into the User Protect module. You can use this
module to block users from changing their passwords.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research