Greetings,
I've just realized that (at least with default settings) the admin section of a drupal website is accessible via normal http, that is, I guess also the password when I login is transmitted in plain text.
How do I make sure that all admin pages and those only, are sent via https, and that username and passwords are sent encrypted from the browser?
TIA, O.
I had the same questions a year or so ago. Most of the time folks told me to change the base url to https, but that of course forces ssl across the entire Drupal site which isn't very efficient if you don't need ssl on the entire site.
A friend passed this code on to me and I am sorry to say I am not sure where it came from originally, but I have greatly benefited from it on my Drupal sites. Just replace the base url line in sites/ default/settings.php with this code:
$base_url = 'http://localhost';
if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && !isset ($_SERVER['HTTPS'])) { header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER ['REQUEST_URI']); exit(); } if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) { $protocol = "https"; } else { $protocol = "http"; } $base_url = $protocol . "://yoursite.domain.com";
Make sure to change the list line to your web site base url. This code will force a redirect to an https session for requests to the / user are in Drupal which covers logins. Make sure to turn off the login block as this code does not protect the block. The cool thing about this bit of code is that it can be extended to redirect other areas of Drupal to https as needed.
I hope this helps.
Thanks! Mark
On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
Greetings,
I've just realized that (at least with default settings) the admin section of a drupal website is accessible via normal http, that is, I guess also the password when I login is transmitted in plain text.
How do I make sure that all admin pages and those only, are sent via https, and that username and passwords are sent encrypted from the browser?
TIA, O.
-- [ Drupal support list | http://lists.drupal.org/ ]
Hi,
Or you can take a look the securepages module which will transfer you between http and https
Gordon.
Mark Shropshire wrote:
I had the same questions a year or so ago. Most of the time folks told me to change the base url to https, but that of course forces ssl across the entire Drupal site which isn't very efficient if you don't need ssl on the entire site.
A friend passed this code on to me and I am sorry to say I am not sure where it came from originally, but I have greatly benefited from it on my Drupal sites. Just replace the base url line in sites/default/settings.php with this code:
*$base_url = 'http://localhost%27;*
*if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && !isset($_SERVER['HTTPS'])) {*
- header("Location: https://" . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']);*
- exit();*
*}* *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
- $protocol = "https";*
*}* *else {*
- $protocol = "http";*
*}* *$base_url = $protocol . "://yoursite.domain.com";*
Make sure to change the list line to your web site base url. This code will force a redirect to an https session for requests to the /user are in Drupal which covers logins. Make sure to turn off the login block as this code does not protect the block. The cool thing about this bit of code is that it can be extended to redirect other areas of Drupal to https as needed.
I hope this helps.
Thanks! Mark
On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
Greetings,
I've just realized that (at least with default settings) the admin section of a drupal website is accessible via normal http, that is, I guess also the password when I login is transmitted in plain text.
How do I make sure that all admin pages and those only, are sent via https, and that username and passwords are sent encrypted from the browser?
TIA, O.
-- [ Drupal support list | http://lists.drupal.org/ ]
!DSPAM:1000,448d5efd315934455618576!
Gordon,
That is very nice! It is great to have a way to do this via a module and not having to add code to settings.php.
Thanks! Mark
On Jun 12, 2006, at 8:44 AM, Gordon Heydon wrote:
Hi,
Or you can take a look the securepages module which will transfer you between http and https
Gordon.
Mark Shropshire wrote:
I had the same questions a year or so ago. Most of the time folks told me to change the base url to https, but that of course forces ssl across the entire Drupal site which isn't very efficient if you don't need ssl on the entire site. A friend passed this code on to me and I am sorry to say I am not sure where it came from originally, but I have greatly benefited from it on my Drupal sites. Just replace the base url line in sites/default/settings.php with this code: *$base_url = 'http://localhost%27;*
*if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && ! isset($_SERVER['HTTPS'])) {*
- header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER
['REQUEST_URI']);*
- exit();*
*}* *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
- $protocol = "https";*
*}* *else {*
- $protocol = "http";*
*}* *$base_url = $protocol . "://yoursite.domain.com";*
Make sure to change the list line to your web site base url. This code will force a redirect to an https session for requests to the /user are in Drupal which covers logins. Make sure to turn off the login block as this code does not protect the block. The cool thing about this bit of code is that it can be extended to redirect other areas of Drupal to https as needed. I hope this helps. Thanks! Mark On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
Greetings,
I've just realized that (at least with default settings) the admin section of a drupal website is accessible via normal http, that is, I guess also the password when I login is transmitted in plain text.
How do I make sure that all admin pages and those only, are sent via https, and that username and passwords are sent encrypted from the browser?
TIA, O.
-- [ Drupal support list | http://lists.drupal.org/ ]
!DSPAM:1000,448d5efd315934455618576!
-- [ Drupal support list | http://lists.drupal.org/ ]
Hi,
Mark Shropshire wrote:
Gordon,
That is very nice! It is great to have a way to do this via a module and not having to add code to settings.php.
With 4.6 you need to add some code to the settings.php, but 4.7 and above you don't need to do anything.
Gordon.
Thanks! Mark
On Jun 12, 2006, at 8:44 AM, Gordon Heydon wrote:
Hi,
Or you can take a look the securepages module which will transfer you between http and https
Gordon.
Mark Shropshire wrote:
I had the same questions a year or so ago. Most of the time folks told me to change the base url to https, but that of course forces ssl across the entire Drupal site which isn't very efficient if you don't need ssl on the entire site. A friend passed this code on to me and I am sorry to say I am not sure where it came from originally, but I have greatly benefited from it on my Drupal sites. Just replace the base url line in sites/default/settings.php with this code: *$base_url = 'http://localhost%27;*
*if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && !isset($_SERVER['HTTPS'])) {*
- header("Location: https://" . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']);*
- exit();*
*}* *if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {*
- $protocol = "https";*
*}* *else {*
- $protocol = "http";*
*}* *$base_url = $protocol . "://yoursite.domain.com";*
Make sure to change the list line to your web site base url. This code will force a redirect to an https session for requests to the /user are in Drupal which covers logins. Make sure to turn off the login block as this code does not protect the block. The cool thing about this bit of code is that it can be extended to redirect other areas of Drupal to https as needed. I hope this helps. Thanks! Mark On Jun 12, 2006, at 3:46 AM, dondi_2006 wrote:
Greetings,
I've just realized that (at least with default settings) the admin section of a drupal website is accessible via normal http, that is, I guess also the password when I login is transmitted in plain text.
How do I make sure that all admin pages and those only, are sent via https, and that username and passwords are sent encrypted from the browser?
TIA, O.
-- [ Drupal support list | http://lists.drupal.org/ ]
--[ Drupal support list | http://lists.drupal.org/ ]
--[ Drupal support list | http://lists.drupal.org/ ]
!DSPAM:1000,448d6853318676491211187!
-
dondi_2006 -
Gordon Heydon -
Mark Shropshire