I've been testing the Secure Login 6-x.1-x-dev module on Drupal 6.3.
When I enable the Secure Login module with the "secure login form" enabled I can't use a user login block to login. After the login attempt my URL is set to:
https://www.mydomain.net/node?destination=node (if I use the login form from my home page)
https://www.mydomain.net/forum?destination=forum (if I use the login form from my forum page)
........ blog?destination=blog (if I use the login form from my blog page)
In each case the page that is displayed is my front page regardless of what the URL says.
I can use
https://www.mydomain.net/?q=user/login
to do a secure login, and this works fine. So I'm confident of my apache/SSL configuration.
Comment | File | Size | Author |
---|---|---|---|
#5 | securelogin.tar_.gz | 2.04 KB | kbahey |
Comments
Comment #1
sluckz CreditAttribution: sluckz commentedI have a testing server and site. I installed both Drupal 6 and the latest cvs Secure Login today. I am using default themes and 'blocks?' sorry fresh drupal beginner from a little joomla use.
I get a similar error when enabling "secure login form"
https://192.168.4.225/node?securelogin_original_baseurl=http%3A%2F%2F192...
Firefox reports:
Redirect Loop
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
My testing site comes down completely. The only way to get back in is disabling the module with mysql. I m not necessarily sure this is a bug in my case as I am not confident I know what I am doing. I can not find much documentation regarding this feature.
Comment #2
ClearXS CreditAttribution: ClearXS commentedSecurity doesn't seem to be a real issue for drupal, as makes the difference between a 'chaos programmed' hobby program and a professional one. I had the same problems 2 years ago with a (bit early) core-5 release. And now I just came back to see what happened in two years and testing with 6.8/6.9. So this is an external module and Drupal shouldn't be responsible for that, I was lectured yesterday about another security module. Well, security issues like these and many others should have been build into core from day one, is my opinion. Let's guess; maybe part of security modules will be in core 7, but other parts won't and core 7 will not work for many modules until near 2010. Maybe I'll just have to come back in another 2 years?
Comment #3
Andrew Schulman CreditAttribution: Andrew Schulman commentedThis is clearly a dead project. I agree, it's unfortunate that such a basic security need has been left to a hodgepodge of contributed modules.
I've found many discussions where people have been asking for HTTPS logins, going back as far as 2003: e.g. http://drupal.org/node/1577.
Maybe http://drupal.org/project/securepages will do the job.
Comment #4
Florian Streibelt CreditAttribution: Florian Streibelt commentedhere is a quick-fix for this issue. In the file securelogin.module the lines 109-118 may look like this:
109 //check if we already have https. The later check does not work with clean urls enabled
110 if ( $_SERVER['HTTPS'] != 'on' ){
111 // Redirect form to secure page, if necessary
112 if(variable_get('securelogin_secure_forms', FALSE) == TRUE) {
113 $secformurl = $securl . '/' . $_GET['q'];
114 if($_SERVER['SCRIPT_URI'] != $secformurl) {
115 drupal_goto($secformurl, 'securelogin_original_baseurl=' . urlencode($origurl));
116 }
117 }
118 }
Comment #5
kbahey CreditAttribution: kbahey commentedI am attaching a version that does work for forms in blocks, using the patch in the comment #4 by Florian.
Can the maintainer please commit this?
Comment #6
kbahey CreditAttribution: kbahey commentedI committed the fix in #4 by Florian to the 6.x-1.x-dev. Should be in the download tarball in about 12 hours from now.