... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non-encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
May be a cache problem.
If you use SSL and non-SSL on the same Drupal site, generated cache (IE. nodes texts and blocks content, even full pages in aggressive caching mode) will randomly carry https:// or http:// URLs.
In fact, if a use browse the site with https://, the url() function will put https:// absolute URL for files (and whenever the coder asked the url() function to do an absolute URL) in rendered content, then save it in cache. The result is, when a user will visit the site with http:// (non-SSL mode), content got back from cache will display https:// because of this wrong cache. The opposite operation also works, the first user to hit the content (https or not) will generate the cache.
In the company I work for, we encounter this problem a lot, we finally decide to use multi site for SSL and non-SSL mixed sites, with a different domain name (IE mydomain.tld and secure.mydomain.tld), both sites using the same database with the same prefix, except for cache tables. With this method, a user hitting the site with SSL mode will write cache for SSL browsers only and vice-versa.
You might try using no cache at all, or emptying your cache at each request to be sure this is what's messing it up.
Pierre.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non-encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
-- [ Drupal support list | http://lists.drupal.org/ ]
May be you should just not use absolute URLs, with relative URLs the user's browser will construct the http:// or https:// itself, this can resolve a lot of problems (servers behind proxies, multiple frontend, cached URLs, etc..).
Also check you did not override the $base_url global in your settings.php.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non-encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
-- [ Drupal support list | http://lists.drupal.org/ ]
On my ssl sites I set $base_url in settings.php to be the https://example.com form, which seems to make sure that all my pages are https, even if someone lands on http first, they get redirected after the first click.
You might consider also looking at the secure_pages module to make sure specific pages are always secured.
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Pierre Rineau Sent: Saturday, May 16, 2009 4:15 PM To: support@drupal.org Subject: Re: [support] SSL Form Posts in Drupal are sent in the clear ...
May be you should just not use absolute URLs, with relative URLs the user's browser will construct the http:// or https:// itself, this can resolve a lot of problems (servers behind proxies, multiple frontend, cached URLs, etc..).
Also check you did not override the $base_url global in your settings.php.
On Sat, 2009-05-16 at 17:39 -0400, Joseph Yamada wrote:
... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change
a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non-encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
The problem comes when Drupal can't tell which is the 'base_url' that should be used for form_actions and URLs.
Check out the secure_pages module, it handles the switching and sets the necessary variables for various pages of the site. It also will redirect to secure or non-secure if necessary for your site.
-Mike
On May 16, 2009, at 2:39 PM, Joseph Yamada wrote:
... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non- encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
-- [ Drupal support list | http://lists.drupal.org/ ]
__________________ Michael Prasuhn 503.488.5433 office 714.356.0168 cell 503.661.7574 home mike@mikeyp.net http://mikeyp.net
Thank you for your replies Pierre and Michael. This is becoming a good discussion for all.
For those who are tuning in. I have configured the site to use ssl, but the posts are being sent in plain. Does someone want to share a success story?
In reply to Pierre: The posts are always sent in the clear, not intermitently but I will look at the cache.
I am using the domain access module so I haven't set the base-url in settings.php. So I using relative urls always and not relative urls, at least that's what I think is happening.
Pierre have you configured their drupal with ssl just within apache configs using mod ssl and mod rewrite?
In reply to Michael: I activated the secure pages module (again leaving the base url blank, based on reading the module's code) this should rewrite the url with https in front for paths in the secure module lists. But after all this, posts were still sent in the clear.
Michael if securepages is working for you, perhaps I did something in apache configs to conflict with this module? Like could this be something to do with mod_rewrite or apache configs? I am rewiting my urls for clean-urls.
On 5/16/09, Michael Prasuhn mike@mikeyp.net wrote:
The problem comes when Drupal can't tell which is the 'base_url' that should be used for form_actions and URLs.
Check out the secure_pages module, it handles the switching and sets the necessary variables for various pages of the site. It also will redirect to secure or non-secure if necessary for your site.
-Mike
On May 16, 2009, at 2:39 PM, Joseph Yamada wrote:
... this is bad, I won't be able to deploy to production until I fix this.
I've configured mod_ssl with my apache to require my drupal site to run in SSL.
And then I changed my login form to post back in https all the time $form = array( '#action' => preg_replace('/^http:/', 'https:', url($_GET['q'], drupal_get_destination(), null, true)), );
So my logins are encrypted.
So I'm on the site and https is encrypting the GETs, but then I change a form, say my profile page, then I post anything back to the server and my browser says I am sending text in the clear, non- encrypted.
Does this mean I need to rewrite the form posts for every form post page ?
Has anyone seen this, please assist a fellow Drupal user,
-- [ Drupal support list | http://lists.drupal.org/ ]
Michael Prasuhn 503.488.5433 office 714.356.0168 cell 503.661.7574 home mike@mikeyp.net http://mikeyp.net
-- [ Drupal support list | http://lists.drupal.org/ ]
-
Joseph Yamada -
Metzler, David -
Michael Prasuhn -
Pierre Rineau