Droptor reports that Login does not require SSL, but when I perform a curl of the non-secure user login form it does a 301 redirect to the HTTPS version.

Here is the output, I have replaced the domain name with www.example.com

curl -I www.example.com/user

HTTP/1.1 301 Moved Permanently
Set-Cookie: ACE-UNICC-ICC-A=R1284879698; path=/
Date: Thu, 17 May 2012 08:40:05 GMT
Server: Apache
Location: https://www.example.com/user
Cache-Control: max-age=0
Expires: Thu, 17 May 2012 08:40:05 GMT
Content-Type: text/html; charset=iso-8859-1

Please note that we are not using the Secure Pages module, we are doing all secure redirects using htaccess rules.

Comments

jemond’s picture

jemond commented
Status: Active » Postponed (maintainer needs more info)

Would you mind submitting a ticket to support@droptor.com with that domain in question that isn't working?

andrewsuth’s picture

andrewsuth commented

We submitted a request to the Droptor support email address in March.

The status of the request from the Droptor team remains as follows:

Regarding SSL for user login, as you mentioned Droptor only tests for Secure Pages module related security for user login. I agree, it should be improved to use direct page tests to verify SSL. I think a lot (all?) of the functionality of the Secure Pages module can be done using Apache rewrite rules so a more generic test that covers all possibilities might be a better option.

jemond’s picture

jemond commented

Ah yes, I recall now. I will take a look.

andrewsuth’s picture

andrewsuth commented
Status: Postponed (maintainer needs more info) » Active

Changed status, this issue still remains.

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented

If *Drupal* isn't able to make the request to www.example.com/user (even though you can) then you might see this behaviour.

Do you also see an error on the status report page which mentions drupal_http_request_fails?

Do you get the correct 302 from curl -I www.example.com/user when executed on your webserver?