[development] Security and Drupal

mfburdett at gmail.com mfburdett at gmail.com
Mon Jan 10 02:21:11 UTC 2011


Hi, you could try Secure Login module. Disable the Secure Login setting that
redirects https logins back to http. In apache, configure the https vhost to
enable the PHP session.cookie_secure setting. Now all logins will be via
https and the authenticated session cookie will only be sent from/to the
https site (anonymous sessions on http will still be possible as long as you
only enable session.cookie_secure on the https site).

--mark B.
On Jan 9, 2011 12:37 AM, "Austin Einter" <austin.einter at gmail.com> wrote:
> Hi All
> I just made a site using Drupal6.2 and in front page I have kept "user
> login" block. I hosted this site using some third party web server.
>
> I tried to login to new site from my PC using my user name and password
and
> prior to that I was capturing the packets those were being send/received
by
> my PC.
> By checking few packets content I could figure out the user name and
> password in plain text.
>
> So it looks others can see these packets and get the administrative user
> name and corresponding password and hence can modify site content and it
is
> really dangerous.
> I assume people must have thought of it and there should be some way to
make
> sure username and password should be encrypted by default hence avoidimg
> third party role in site content modification.
>
> Please guide in this regard and provide some pointers how can I make
> username/password secure while logging in sites based on Drupal.
>
> Regards
> Austin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20110109/41cc3c0f/attachment.html 


More information about the development mailing list