[development] Security and Drupal

FGM fgm at osinet.fr
Sun Jan 9 09:23:42 UTC 2011

You can configure your site to use https on pages where you want to login; 
that way the auth information does not cross the net in clear form. It takes 
some planning to do correctly, though, especially if you don't want the 
whole site to be accessed over S-HTTP, for performance reasons.

----- Original Message ----- 
From: "Austin Einter" <austin.einter at gmail.com>
To: <development at drupal.org>; <support at drupal.org>
Sent: Sunday, January 09, 2011 9:36 AM
Subject: [development] Security and Drupal

Hi All
I just made a site using Drupal6.2 and in front page I have kept "user 
login" block. I hosted this site using some third party web server.

I tried to login to new site from my PC using my user name and password and 
prior to that I was capturing the packets those were being send/received by 
my PC.
By checking few packets content I could figure out the user name and 
password in plain text.

So it looks others can see these packets and get the administrative user 
name and corresponding password and hence can modify site content and it is 
really dangerous.
I assume people must have thought of it and there should be some way to make 
sure username and password should be encrypted by default hence avoidimg 
third party role in site content modification.

Please guide in this regard and provide some pointers how can I make 
username/password secure while logging in sites based on Drupal.


More information about the development mailing list