The user login module should be modified to always use absolute urls for the following items:

  • user login form
  • register new user link
  • request new password link

This will ensure that when https protocol is specified for $base_url in settings.php file, the user login module will use ssl even if the page is directly accessed over http protocol. Please see "securing drupal for authenticated users" page for details on how this feature can be very useful. I am attaching a patch for the drupal/modules/user.module file. It passes additional arguments to url and l functions with a value of "TRUE" for $absolute parameter.

CommentFileSizeAuthor
user_logins.diff1.6 KBHemangLavana

Comments

Egon Bianchet’s picture

Egon Bianchet commented
Version: 4.7.0-beta5 » x.y.z
dries’s picture

dries commented

Interesting direction. I suggest we postpone committing this patch so more people have a change to evaluate this proposal and so we can brainstorm about it a bit more.

I have some grips with it though. Say I have an e-commerce site and I need to secure a thing or two, I'd still have to make changes to the eccomerce code to make its URLs use https (rather than http). I wonder how this is solved by other software projects, or what the ideal theoretical solution would look like.

HemangLavana’s picture

HemangLavana commented

> Say I have an e-commerce site and I need to secure a thing or two, I'd still have to make changes to the eccomerce code to make its URLs use https (rather than http).

I am no security expert so take my responses with grain of salt. If anything needs to be secured for an e-commerce or any other such site, I would force the user to login before sending or requesting sensitive info. Doing it this way will keep the design of any web-site simple: display general info over http and require user login over https for any security related stuff.

Hemang.

Bèr Kessels’s picture

Bèr Kessels commented
Status: Needs review » Closed (duplicate)

continue this at http://drupal.org/node/1577