Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I just enabled the module and noticed by default there is a config line to secure the url:
user/*
On my site I log in by visiting /user - which is the sort of "default" isn't it? Anyway I was able to log in without encountering an HTTPS page. So I changed the config to user* and now I can only log in over HTTPS. Shouldn't this setting be in the defaults? Isn't that the first thing you would want to secure?
Comment | File | Size | Author |
---|---|---|---|
#10 | securepages-n264987.patch | 1.3 KB | DamienMcKenna |
Comments
Comment #1
VM CreditAttribution: VM commentedI assume you log in through user because you've disabled the login block ?
do you get an https when using the block ?
Comment #2
fletchgqc CreditAttribution: fletchgqc commented1. Yes, correct.
2. Haven't tried, it's not really relevant for me.
Comment #3
VM CreditAttribution: VM commentedwhile it may not be relevant for you, it is relevant to the request and your question about whether or not it should be a default setting.
Comment #4
compudaze CreditAttribution: compudaze commentedHow would I secure login with this module?
Comment #5
VM CreditAttribution: VM commentedI'd think you would want to investigate the securelogin.module
Comment #6
fletchgqc CreditAttribution: fletchgqc commentedOr just add /user to the pages to be viewed over HTTPS.
Comment #8
DamienMcKennaThe v6.x-1.7 release secures the user/* pages by default.
Comment #9
fletchgqc CreditAttribution: fletchgqc commented"user/*" does not match "user"
The ideal solution would be two lines:
user/*
user
Comment #10
DamienMcKennafletchgqc: Correct. I've attached a tiny patch for the D6 branch to add it in. It also separates the main admin page vs the sub-pages, to have them listed in the same format.
Comment #11
Matt V. CreditAttribution: Matt V. commentedI applied the patch listed in comment #10 to version 6.x-1.8 of the module. It applied without any trouble and appears to work as advertised. I think it is an important patch because someone who just accepts the defaults after installing this module could easily be under the mistaken impression that user logins are secure, when they may not be.
Comment #12
YK85 CreditAttribution: YK85 commentedsubscribing
will this patch be committed to the core Secure Pages module?
Comment #13
robby.smith CreditAttribution: robby.smith commentedsubscribing, +1 for commit
Comment #14
izmeez CreditAttribution: izmeez commented[EDIT]: Please ignore my earlier comments which are below. I have tested this again from scratch. The first thing I did was make sure that no wysiwyg editor was on in the securepages configuration. Then everything is fine. The default pages to secure and ignore appear on separate lines and the user/* seems to work but I had to add user* for cases when the url http://example.com/user is used.
Thanks for the module.
Izzy
[/EDIT]
Previous comments to disregard:
Just using securepages module for the first time. Thank you very much.
I'm also glad that I found this issue.
I am using Logintoboggan and even though it is configured to link to the login page I was having trouble getting that to be secured over SSL if I have the switch to non-secure checkbox selected.
I tried "user" but this did not work neither did "user/*", however "user*" seems to work. Not sure why?
I also found I had to edit the securepages configuration so that each item was on a separate line instead of all on a single line. I may have to test this further to confirm.
Thanks,
Izzy
Comment #15
nschloe CreditAttribution: nschloe commentedsubscribing, have the same issue
Comment #16
gordon CreditAttribution: gordon commented* I have committed this to dev.