Closed (won't fix)
Project:
Secure Pages
Version:
4.7.x-1.x-dev
Component:
Code
Priority:
Critical
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
30 Nov 2006 at 02:47 UTC
Updated:
26 Oct 2010 at 23:58 UTC
This is a great module. It answers a lot of security questions I've had about Drupal.
However, I've noticed that it does not support URL aliases in the list of pages that use/don't use SSL. I have come custom node types that are restricted to certain users. I'd like to be able use a SSL connection when those users with the appropriate permissions access these nodes in "view" mode.
I'd unselect "switch back to http" to solve the problem - but really affects performance. Also, if an non-registered site visitor accidently goes to "user/login", they'll have a secure connection for the rest of the time they are on the site.
Thanks,
-S
Comments
Comment #1
wishcow commentedI wrote a quick solution for this. In the securepages.module file (I actually added this to drupal 5),
in the securepages_init function, I added 2 lines, which fixed the problem:
function securepages_init() {
...
$path = $_GET['q'];
$page_match = securepages_match($path);
// PATCH:
if (!$page_match)
$page_match = securepages_match(request_uri());
...
}
This checks the external url if the internal url failed in the match.
I am new to Drupal, so I don't know how to write patches yet, I will post one as soon as I can.
Comment #2
wishcow commentedEek, sorry, made a mistake.
You need to remove the heading "/" character first.
$page_match = securepages_match(ltrim(request_uri(), "/"));
Comment #3
schnuckovic commentedI found this working better when you have your drupal installation not at the host's root:
$page_match = securepages_match($path);
if (!$page_match){
$page_match = securepages_match(drupal_get_path_alias($path));
}
I'm currently testing on the server, so the URL is http://example.com/test/, thus request_uri() still contains the 'test' part in my example.
Not sure how this works if there's various aliases to a node.
Shouldn't this feature be part of the module?
Comment #4
schnuckovic commentedI found this working better when you have your drupal installation not at the host's root:
$page_match = securepages_match($path);
if (!$page_match){
$page_match = securepages_match(drupal_get_path_alias($path));
}
I'm currently testing on the server, so the URL is http://example.com/test/, thus request_uri() still contains the 'test' part in my example.
Not sure how this works if there's various aliases to a node.
Shouldn't this feature be part of the module?
Comment #5
schnuckovic commentedthis:
if (!$page_match){
$page_match = securepages_match(drupal_get_path_alias($path));
}
seemed to work at the beginning, but then I found out that the call to drupal_get_path_alias() throws an error sometimes that it's not available.
I'm using a different approach now. I'm back to the original settings in the secure_pages module and added this line to my settings.php:
ini_set('session.cookie_secure', 1);
The login is secure and the session will be valid for https only with this setting. As soon as the users tries to request a page using http she gets logged out.
It's not 100% what I wanted, but now I can be sure that the pages that only some authenticated users are allowed to see are always encrypted.
Comment #6
grendzy commentedautomatically closed - The 4.7 branch is no longer supported. If this issue is present in a currently supported version, please change the version field and re-open. Thanks!
Comment #7
seanberto commentedSure, Grendzy, close out my tickets without love. ;)
Hope all is well.
-sean