Closed (won't fix)
Project:
Secure Login
Version:
7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Reporter:
Created:
27 Apr 2012 at 08:15 UTC
Updated:
27 Sep 2014 at 10:21 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
mfbThis would be a feature request - or a separate module. It would require setting a cookie without the 'secure' flag on login, and unsetting it on logout. And it would have to be optional behavior as it would result in information leakage over the HTTP connection (some sites want to hide the fact that the client is logged in from eavesdroppers by only passing cookies over HTTPS connections).
Comment #2
Nephele commentedA module providing this capability already exists, namely auth_ssl_redirect. I've successfully tested it together with securelogin.
@mfb: Your comments led me to wonder about the security of the auth_ssl_redirect module. I've started an issue (#1912632: Security implications of module) and would appreciate any further insight you could provide.
Comment #3
mfbI'll mark this as fixed as there is already a module providing the feature (which I'll take a look at if/when I get a chance).
Comment #5
SilviuChingaru commentedThis module break functionality of modules that uses sessions to store data. More details here: #1956254: Auth SSL Redirect should provide also a SESSSSL cookie.
I also think that we should merge auth_ssl_redirect functionality into this module. I don't think it should be another module to use or maintain for redirect functionality only (note that mentioned module has only 3 functions). We should make this module a strong module that implements "from the box" all SSL log in functionality (maybe with configurable options but all in one place).
I don't think that someone wants to implement a module to have users auth via ssl but when comming back to confuse them as they are not logged in anymore, or add some products to carts and cart is empty on log in or on return.
Comment #6
SilviuChingaru commentedInitial patch for your consideration. It works like this:
If a session is set we set a cookie so we know to redirect to https from http any user that has a https session started. This way we make sure that any modules that uses session directly like ubercart or commerce is also redirected to secure site (the cart is not empty on next visit).
As I have said earlier I think there is no need for a custom module like auth_ssl_redirect with 3 function but one useless (_auth_ssl_redirect_cookie_domain is helper function to find the cookie domain but in fact it should use session_get_cookie_params() and use 'domain' key) so the module has in fact 2 functions.
Also I don't think we should provide this as an option because if the user session is forced to SSL so should be any session on that site. Correct me if I'm wrong.
I don't know if we should do something if we detect there is an insecure session set? Should we port that session on first install?
Comment #7
SilviuChingaru commentedComment #8
SilviuChingaru commentedAdded options:
- redirect to insecure on logout
- force anonymous to insecure
Should we implement also something like:
??? If a form is posted we get redirected so our hook_boot is called to set the cookie. I don't know if can be a case where this hook is neded but I'm not so sure. I'm waiting for your suggestions.
Comment #9
SilviuChingaru commentedThere is a problem with sessions set by other modules but in submit functions for forms not submitted to secure url.
The best way to handle this is to store session in db on form submit or redirect to secure and restore it on secure site.
Also we could provide an option like "Force secure session" and on hook_exit() we can check if a session is set and if it is store it in db, redirect user to secure url and delete stored session from db.
To know what session to restore from db on secure site we save the index of stored session in SECUREAUTH cookie.
I'll provide a patch in couple of days.
Comment #10
SilviuChingaru commentedComment #11
wxman commentedI've been playing with the patched version on my site. I found I'm having problems with " Force anonymous to insecure ". Maybe something is set up wrong on mine, but if that's checked, users can't log in without getting a redirect loop error. If I un-check that, and check "Redirect to insecure on log out", they can login, but after log out they stay on HTTPS. Maybe I should just leave everything on HTTPS all the time?
Comment #12
SilviuChingaru commentedYou could leave https always on but with price of not using varnish for example and initial request pairing latency of https.
I saw this bug also but I saw no interest in this feature from maintainer or other users and I didn't work on this project anymore.
Comment #13
wxman commentedAll I really wanted was to encrypt any form, or pages with personal data on them. I would rather not have the whole site https unless I have to. I've been thinking of trying the Secure Pages module, but that seems to have problems too.
Comment #14
SilviuChingaru commentedI know, that was my problem too... So I came to this module but it doesn't work right. I'll look into it again when I'll have a little time.
Comment #15
mfbI'd really like to keep this module as small and simple as possible. Looks to me like this patch could be a standalone module that you contribute.