I'm seeing some unexpected interaction--or rather, lack of interaction--between these two modules.
I have the most recent version of both modules enabled. I have Secure Pages configured so that all pages of the pattern user* are redirected through SSL. It works fine if someone goes to http://example.com/user --they get redirected to https://example.com/user
In logintoboggan, I have it set to Present login form on access denied (403). Looking just a little at the code in logintoboggan.module, I would kind of expect the SSL redirect to work when some one gets an access denied message--but it doesn't.
I tried including logintoboggan/denied in the list of pages for Secure Pages to redirect, but that doesn't work either.
These are both great modules. But it would be even greater if they would cooperate! Any help appreciated.
Comments
Comment #1
zbricoleur CreditAttribution: zbricoleur commentedI should add that I found a similar issue posted in the Secure Pages issue queue, without resolution: http://drupal.org/node/345740
Comment #2
hunmonk CreditAttribution: hunmonk commentedunfortunately, LT currently uses some dark magic to perform those access denied redirects, so i'm guessing Secure Pages never gets properly notified of the actual page that's being loaded.
i don't see any way to fix this without a redesign of the way LT does it, and currently i'm not even seeing a way to do that without limiting some of the functionality that currently exists.
i'm not willing to break things in a stable branch, so this will have to be addressed in 7.x...
if somebody is willing to dig through the Secure Pages code and find a properly Drupal way expose what LT is doing, so that Secure Pages can pick up on it, then i would be willing to look at a patch for that. post it here if so.
Comment #3
hunmonk CreditAttribution: hunmonk commentedComment #4
YK85 CreditAttribution: YK85 commentedsubscribing
Comment #5
ShannonK CreditAttribution: ShannonK commentedSubscribing
Comment #6
Bilmar CreditAttribution: Bilmar commentedsubscribing
Comment #7
YK85 CreditAttribution: YK85 commentedHi, I was wondering if a user registers/logins without Secure Pages module or Secure Login module that LoginToboggan is not keeping the password data etc safe? I would like to keep security high for pages that deal with sensitive info such as passwords. I would like to learn more about how LoginToboggan does this. Thanks!
Comment #8
hunmonk CreditAttribution: hunmonk commentedi certainly wouldn't consider myself an expert in this area, but anything transmitted via http:// is open to sniffing, and via https:// should be secure. therefore, the login process should be done over an https:// connection. like drupal core, LT has nothing to do with this, it needs to be implemented via other means.
Comment #9
YK85 CreditAttribution: YK85 commentedahh I see, thanks for the explanation!
I wish compatibility with Secure Pages module would be possible in Drupal 6, but, as you made clear it will only be for Drupal 7, I look forward to following this into D7 =)
Thanks!
Comment #10
hunmonk CreditAttribution: hunmonk commentedlet's be clear -- i said i would *look* at it for 7.x. there is no promise of a fix for this issue in 7.x and beyond.
i have enough commitments already... ;)
Comment #11
YK85 CreditAttribution: YK85 commenteddefinitely understand =)
your hard work is very much appreciated!
Comment #12
Renee S CreditAttribution: Renee S commentedAs I understand it, D7 API support SSL out of the box. The only thing needed is to tell the form to be HTTPS, and D7 does some magic in the background, now, to handle a lot of the initiation that was done in securepages (it sets two cookies for mixed mode stuff, but config of what's what still needs a module, natch). The issue is here: http://drupal.org/node/1577 - t'was committed to head, and around 2/3rds of the way down are details. It looks like all you'd need is an admin checkbox "force SSL login" and then the module would use a form with #https = TRUE. In theory :)
Comment #13
YK85 CreditAttribution: YK85 commentedthanks for the very helpful info renee!
i'm having to launch my website for business reason in the next month..so i'm guessing i will have to start with d6 and port my site to d7 when it is stable =/
Comment #14
hunmonk CreditAttribution: hunmonk commentedso...
i don't understand where this issue is at now ;)
i won't fix the issue in 6.x, and i have no idea if secure pages is going to be supported for 7.x. if it's not, then this would be a feature request to add secure pages support to LT? and if not i guess it's a bug report.
guess for now i'll call it a bug report, and postpone any activity on it until the fate of secure pages is known.
Comment #15
steveparks CreditAttribution: steveparks commentedSince the last post, #14, work on porting Secure pages to 7 has been underway, but only has a dev release so far.
The issue tracking progress is #952820: Drupal 7 port
It may be enough to reopen exploration of the issues here. Tentatively marking active.
Comment #16
Leeteq CreditAttribution: Leeteq commentedSubscribing.
Comment #17
stevecowie CreditAttribution: stevecowie commentedI think this is worth exploring as there's a securepages version for D7. The challenge is having an api that allows an external module like securepages to flag that it has requirements that LT should pay attention to.
Comment #18
oliverpolden CreditAttribution: oliverpolden commentedFor Drupal 6 you can user hook_form_alter and check for the 'user_login' form_id then do:
So basically any time a user login form is displayed, the user will be redirected to https.
I haven't checked Drupal 7 but I'm sure you could pretty much do exactly the same.
This code could be placed in the secure pages module. I don't think it should be up to the Logintoboggan module to do this redirect.
Comment #19
guardiola86 CreditAttribution: guardiola86 commentedI'm using both modules and I getting this error when a user registers or log in, but it doesn't happen always, only sometimes.
500 Service unavailable (with message)
Any ideas? I'm pulling my hair out trying to find out where the issue is coming from.
Comment #20
milovan CreditAttribution: milovan commentedI just tried on fresh Drupal 7 instance to install both Logintoboggan and Secure Pages. I configured Logintoboggan as follows:
As far as Secure pages, default settings (including the one whcich lists two form names: user_login and user_login_block).
Website is configured to use mixed mode (http and https). /user is by default on https.
I made two nodes: one published and one unpublished. Going as anonymous to published, all ok. Going as anonymous to unpublished node, I am presented login block form, but on HTTP, it didn't respect move to https. So, I confirm this is still an issue and can be easily reproduced.
Is there any progress about this? I am willing to test out patches on vanilla instance.