how to prevent drupal 7 sent a password in clear text

By simnav on 27 Feb 2017 at 04:25 UTC

i know https is the solution but i need to prevent the password sent in clear text without https. I used encrypt submission module but that is not working in my end because for after login i have define some rule for particular users. I think that's why module is not redirected the dashboard. Please provide help to avoid this problem

Comments

Rule for particular users?

sachinsuryavanshi commented 27 February 2017 at 06:04

Did you use Roles and Permission or Htaccess file to achieve this?

I use Rules module in drupal

simnav commented 27 February 2017 at 06:21

I use Rules module in drupal 7 to define some rule like after login

{ "rules_after_login_rule" : {
    "LABEL" : "After Login Rule",
    "PLUGIN" : "reaction rule",
    "OWNER" : "rules",
    "REQUIRES" : [ "rules" ],
    "ON" : { "user_login" : [], "user_view" : [] },
    "IF" : [
      { "user_has_role" : { "account" : [ "account" ], "roles" : { "value" : { "4" : "4" } } } }
    ],
    "DO" : [ { "redirect" : { "url" : "cms\/myhomepage", "destination" : "1" } } ]
  }
}

Try htaccess

sachinsuryavanshi commented 27 February 2017 at 06:29

Try to update Htaccess file for this requirement

http://www.htaccesstools.com/articles/password-protection/

should i need to upload

simnav commented 27 February 2017 at 06:33

should i need to upload .htpasswd file? If yes then they mentioned static user test but i have a dynamic user. I am confused

Use HTTPS instead

sachinsuryavanshi commented 27 February 2017 at 06:48

You can either encrypt the HTTP connection via HTTPS, or there are MD5 and other hashing algorithms implemented in JavaScript that can be used client side to hash the password client side before sending it.

I am not sure why you are not using HTTPS in this situation.

We can add multiple things to avoid clear text but without HTTPS there are numerous way Hacker or any Web Advanced dev person can recover d password

I will add the https later on

simnav commented 27 February 2017 at 08:50

I will add the https later on because now my burp software show the vulnerability of clear text. I have to remove that before move on the production server. Thats why i need client side encryption please help me which module is used for client side encryption i have tried encrypt submission but that is not working on my end.