[drupal-devel] remote auth and required email/password fields

Chris Johnson chris at tinpixel.com
Thu Mar 17 03:07:32 UTC 2005

Karoly Negyesi wrote:
>>have a fallback mechanism where we try https and if that fails, we use
> When I have tried introducing HTTPS into Drupal, it was said that something 
> named phplib is the solution not https. May or may not be relevant in this 
> discussion.

I would say that PHPLIB's technique[1] for avoiding sending auth information 
in clear text is a good solution for those who can't afford to go the HTTPS 
route.  Adding SSL code to Drupal's remote or local auth would be a black hole 
for resources.  Local auth HTTPS should remain at the server.  If an admin is 
running a site where security is that important, his or her server ought to be 
running HTTPS, and most browsers out there support it directly.  That does not 
solve the remote auth problem, however.  But HTTPS seems more work than it is 
worth at this point.

client side:  crlogin.ihtml: http://tinyurl.com/6ysow
server side:  local.inc, Example_Challenge_Auth(): http://tinyurl.com/3wvyo

Chris Johnson

More information about the drupal-devel mailing list