On my ssl sites I set $base_url in settings.php to be the https://example.com form, which seems to make sure that all my pages are https, even if someone lands on http first, they get redirected after the first click.
You might consider also looking at the secure_pages module to make sure specific pages are always secured.
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Pierre Rineau Sent: Saturday, May 16, 2009 4:15 PM To: support@drupal.org Subject: Re: [support] SSL Form Posts in Drupal are sent in the clear ...
May be you should just not use absolute URLs, with relative URLs the user's browser will construct the http:// or https:// itself, this can resolve a lot of problems (servers behind proxies, multiple frontend, cached URLs, etc..).
Also check you did not override the $base_url global in your settings.php.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change
a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non-encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]