[development] Security and Drupal
Darren Oh
darrenoh at sidepotsinternational.com
Sun Jan 9 14:20:46 UTC 2011
You need to require SSL on every page that you want to control access to. If only the log-in page requires an SSL connection, an attacker does not need your user name and password. Drupal uses cookies for authentication. A cookie is sent with every page request, so observing any traffic at all enables an attacker to gain full control of your account.
On Jan 9, 2011, at 4:23 AM, FGM wrote:
> You can configure your site to use https on pages where you want to login; that way the auth information does not cross the net in clear form. It takes some planning to do correctly, though, especially if you don't want the whole site to be accessed over S-HTTP, for performance reasons.
More information about the development
mailing list