diff --git a/crowd.module b/crowd.module index c1ff067..ff487c6 100644 --- a/crowd.module +++ b/crowd.module @@ -231,8 +231,18 @@ function _crowd_process_redirects() { * successful, or an empty array upon failure. */ function crowd_login_remote($username, $password, $show_reject_message = TRUE) { - global $user; + global $user, $is_https; $crowd_user = array(); + // Initiating a crowd session depends on our ability to set a Crowd cookie. + // If configured to set a secure cookie then we cannot continue over an + // insecure connection. + if (variable_get('crowd_secure_sso_cookie', FALSE) && !$is_https) { + if ($show_reject_message) { + drupal_set_message(t('Authentication is not currently allowed over an insecure (http) connection.'), 'error'); + } + watchdog('crowd', 'User %username could not be authenticate against Crowd over an insecure connection because the "Secure SSO Cookie" option is set.', array('%username' => $username), WATCHDOG_NOTICE); + return $crowd_user; + } try { // Attempt to authenticate the user in Crowd. $crowd_client = crowd_client_connect(); @@ -716,7 +726,11 @@ function crowd_get_set_cookie_data($token = NULL) { $_COOKIE[$cookie_name] = $token; return $token; } - return !empty($_COOKIE[$cookie_name]) ? $_COOKIE[$cookie_name] : NULL; + // If the Secure SSO Cookie option is active, and we have an insecure + // connection, ignore any tokens that may be set. Otherwise, return the + // token. + global $is_https; + return (variable_get('crowd_secure_sso_cookie', FALSE) && !$is_https) || empty($_COOKIE[$cookie_name]) ? NULL : $_COOKIE[$cookie_name]; } diff --git a/includes/crowd.admin.inc b/includes/crowd.admin.inc index f9ba02b..2e0c1cc 100644 --- a/includes/crowd.admin.inc +++ b/includes/crowd.admin.inc @@ -11,6 +11,7 @@ * Menu callback function to generate the module configuration form. */ function crowd_admin_settings($form, $form_state) { + global $is_https; // Run a quick check to see if the connection is working with the current // configuration. if (empty($form_state['input'])) { @@ -96,11 +97,14 @@ function crowd_admin_settings($form, $form_state) { '#description' => t('The domain that SSO cookies should be generated for (such as .mydomain.com).'), ); + $crowd_secure_sso_cookie_disabled = !$is_https && !variable_get('crowd_secure_sso_cookie', FALSE); + $crowd_secure_sso_cookie_disabled_message = $crowd_secure_sso_cookie_disabled ? '' . t('This option can only be enabled over a secure connection.') . '' : ''; $form['cookie_options']['crowd_secure_sso_cookie'] = array( '#type' => 'checkbox', '#title' => t('Secure SSO cookie'), '#default_value' => variable_get('crowd_secure_sso_cookie', FALSE), - '#description' => t('If checked, the "Secure" flag is set on the cookie. This will break SSO for applications not accessed over SSL/TLS (https://), potentially making logging into Crowd impossible.'), + '#disabled' => $crowd_secure_sso_cookie_disabled, + '#description' => t('If enabled, the "Secure" flag will be set on the SSO cookie when a session is initiated by Drupal, and any insecure SSO cookies set by other applications will be ignored. This will break SSO for any applications not using a secure connection (SSL/TLS), including Drupal. Additionally, users will not be able to log in to Drupal with Crowd credentails over an insecure connection when this option is active.') . ' ' . $crowd_secure_sso_cookie_disabled_message, ); $form['cookie_options']['crowd_logout_no_cookie'] = array(