By slimandslam on

Does drupal offer secure logons? You may notice that Yahoo Groups, Hotmail, Gmail, Schwab, and, well, just about every site that has to worry about security on a daily basis, makes sure that you can logon via HTTPS so that your username and password don't get nabbed. There's a lot of people using open WIFI hotspots these days and it's so trivial to steal username/passwords.
But maybe Drupal already offers this option and I don't know about it? It's certainly easy enough to add.

Cheers

JL

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented

Drupal in principle offers this feature. You can set your base URL to start with https instead of http. This will cause your entire traffic to be encrypted, though, and might add significant overhead to the server. It would be nice to enable https only for logged in users and the /user page.
--
If you have troubles with a particular contrib project, please consider to file a support request. Thanks.

--
Drupal services
My Drupal services

slimandslam’s picture

slimandslam commented

Yes, clearly the way to go is to have only the login/password sequence use HTTPS. I guess I'm just surprised that this isn't a standard part of the Drupal functionality.

killes@www.drop.org’s picture

killes@www.drop.org commented

If you only want to have the actual login page handled by https., then you are lucky. In conf.php you can execute any PHP code. You can check the requested page if it contains /user and then set the base URL to contain https. You need to disable the login block or replace it by a link to the login page.

--
If you have troubles with a particular contrib project, please consider to file a support request. Thanks.

--
Drupal services
My Drupal services

mr700’s picture

mr700 commented

Isn't the url() function better and mode flexible place to do so? I was thinking of a url() patch to select https: over http: based on list of url list like 'admin/*', 'user/*', 'logout', 'tracker/*' and anything else the admin desires...

chx’s picture

chx commented

I created a patch which implements this. Test it, please: At the bottom of admin/user/configure you'll find a new checkbox. Check it and try -- of course, not on a real Drupal site, as you may find yourself locked out...

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

jamida’s picture

jamida commented

Could I set front page to present an HTTPS page for unauthorized users and then present the retular HTTP pages for authorized users?

Does this still leave a security risk or will this work?

mpd’s picture

mpd commented

I just put this module up a few days ago. It protects against replay attacks. It's not SSL, but it is an improvement. There are links on the project page to definitions, examples and the implementation (thx, PHPLib).
http://www.drupal.org/node/19244

Regarding SSL, it's worth reading over the comment submitted by killes@www.drop.org at http://drupal.org/node/13240 .

bkonia’s picture

bkonia commented

Here's a simple way to do secure login that doesn't require any patching to the Drupal core modules:

In your settings.php file, replace:

$base_url = "http://www.yourwebsite.com";

with the following code:

if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user') && !isset($_SERVER['HTTPS'])) {
  header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
  exit();
} 
if (!strcasecmp(substr($_SERVER['REQUEST_URI'],0,5),'/user')) {
  $protocol = "https";
}
else {
  $protocol = "http";
}
$base_url = $protocol . "://www.yourwebsite.com";

This will make all the "user module" pages secure and all the other pages on the site will be non-secure. After you login, you will notice that the links to all your pages will be secure (https) links. However, after you click on any of the links, subsequent pages will be non-secure. In other words, the first page you go to, after you login will always be secure, but it will then automatically switch back to non-secure mode.

neofactor’s picture

neofactor commented

This sounds like a great MOD to do what we need.

Any word on DRUPAL adding a solution to CORE. All of those LDAP modules should require such an implimentation.

mr700’s picture

mr700 commented

This will not work, you can fool just yourself and the users if using login box!!!

Please look at http://drupal.org/node/13240#comment-38062 first. This will just redirect "the form submission" from the login box, at which time "(the username and the password) have already crossed the wire" as neale says.

This idea can probably be usefull only if you do not use the login block but provide a link to /user. This way the submission will be done while in ssl mode.

PP: http://drupal.org/node/13231#comment-20893 explains this too

kylehase’s picture

kylehase commented

bkonia,

Could you explain the logic of your code? I'm a bit confused. I did the following which seems to work. Of course you have to supply a login link as opposed to block.

// looks for login and edit pages but ignore other user pages since passwords are only transmitted here.  
if (preg_match('/.*((user\/\d{1,4}\/edit)|(user))$|.*user\/login.*/sm', $_SERVER['REQUEST_URI'])){ 
    if (!isset($_SERVER['HTTPS'])){ 
      header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
      exit();
    }
}
elseif (isset($_SERVER['HTTPS'])){  // switch back to http if using https on other pages.  This helps speed. 
    header("Location: http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit ();
} 
if (preg_match('/.*((user\/\d{1,4}\/edit)|(user))$|.*user\/login.*/sm', $_SERVER['REQUEST_URI'])) {
    $protocol = "https";
}
else {
    $protocol = "http";
}
$base_url = $protocol . "://example.com";

If anyone else has tips on this please let me know.

lamojo’s picture

lamojo commented

i was about to try to arrange it thru the RewriteEngine in .htaccess , but this saves me a lot of puzzling...

shouldn't these security matters like secure login and obfuscated e-mail addresses etc. be The First Things you would expect to sit in Drupal core ?!? beats me...!

greg.harvey’s picture

greg.harvey
Primary language English
Location Occitanie, France
commented

http://drupal.org/project/securepages !!!

--
http://www.drupaler.co.uk/

--
https://www.codeenigma.com/

tonyliuh’s picture

tonyliuh commented

I can not install securepages module on my Druapl 6.2. Is there someone have the same experience? I am a newbie for Drupal. But I need this feature badly. Thanks a lot!

greg.harvey’s picture

greg.harvey
Primary language English
Location Occitanie, France
commented

It is in dev version. As are many modules for 6. If you're a newbie, I recommend you stick with 5.7 until 6 has better module support!

--
http://www.drupaler.co.uk/

--
https://www.codeenigma.com/

kuson’s picture

kuson commented

I think you must make sure that you have HTTPS enabled for your site (generated SSL keys and certificates), or manually using https://(yourwebsite) and see if that works.

If it doesn't then you know.
If it works, then most likely you have to configure it under administrator user setting (site configuration / secure pages). Make sure all the paths you want to secure are listedthere.

However, I still dunno how to secure the login username and password. Anyone who knows? I'm at kusons@gmail.com and appreciate it. Thx.

----------------------------------------------------------------------
EDIT

A nice workaround I found is in the previous posts --- to enable a Link from the homepage to 'user' path, and set 'user' path to use SSL in secure pages; That way, if someone wants to login, he will be directed to the 'user' path first (showing username and password forms) in a SSL protected environment.

"Lets Make Things Better"

tetmo’s picture

tetmo commented

I played around with this quite a bit and got my .htaccess file to automatically redirect every page to https. So below is Drupal's .htaccess file. The only modification you need to make is to add two lines. Those lines are in the section: # Redirect to https version of site. Please note that some (still incomplete) testing suggests that the location of those two lines is important. Someone better at Apache rewrite rules could probably explain why. Anyway, this works great for my site. Also, note that this redirects to www version of a site all the time but that can be commented out easily per the comments in the file.

#
# Apache/PHP/Drupal settings:
#

# Protect files and directories from prying eyes.

Order allow,deny

# Don't show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
Options +FollowSymLinks

# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php

# Set the default handler.
DirectoryIndex index.php index.html index.htm

# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_environment_initialize() in
# includes/bootstrap.inc for settings that can be changed at runtime.

# PHP 5, Apache 1 and 2.

php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off

# Requires mod_expires to be enabled.

# Enable expirations.
ExpiresActive On

# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600


# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off

# Various rewrite rules.

RewriteEngine on

# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]

# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]

# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]

# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /

# Redirect to https version of site.
# Some quick testing suggested that this needs to come before the "RewriteRule ^ index.php [L]" below.
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]

# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.

# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]

# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]

# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]


# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding