Logintoboggan and Secure Pages module

unfortunately, LT currently uses some dark magic to perform those access denied redirects, so i'm guessing Secure Pages never gets properly notified of the actual page that's being loaded.

i don't see any way to fix this without a redesign of the way LT does it, and currently i'm not even seeing a way to do that without limiting some of the functionality that currently exists.

i'm not willing to break things in a stable branch, so this will have to be addressed in 7.x...

if somebody is willing to dig through the Secure Pages code and find a properly Drupal way expose what LT is doing, so that Secure Pages can pick up on it, then i would be willing to look at a patch for that. post it here if so.

subscribing

Subscribing

subscribing

Hi, I was wondering if a user registers/logins without Secure Pages module or Secure Login module that LoginToboggan is not keeping the password data etc safe? I would like to keep security high for pages that deal with sensitive info such as passwords. I would like to learn more about how LoginToboggan does this. Thanks!

i certainly wouldn't consider myself an expert in this area, but anything transmitted via http:// is open to sniffing, and via https:// should be secure. therefore, the login process should be done over an https:// connection. like drupal core, LT has nothing to do with this, it needs to be implemented via other means.

ahh I see, thanks for the explanation!

I wish compatibility with Secure Pages module would be possible in Drupal 6, but, as you made clear it will only be for Drupal 7, I look forward to following this into D7 =)

Thanks!

let's be clear -- i said i would *look* at it for 7.x. there is no promise of a fix for this issue in 7.x and beyond.

i have enough commitments already... ;)

definitely understand =)
your hard work is very much appreciated!

As I understand it, D7 API support SSL out of the box. The only thing needed is to tell the form to be HTTPS, and D7 does some magic in the background, now, to handle a lot of the initiation that was done in securepages (it sets two cookies for mixed mode stuff, but config of what's what still needs a module, natch). The issue is here: http://drupal.org/node/1577 - t'was committed to head, and around 2/3rds of the way down are details. It looks like all you'd need is an admin checkbox "force SSL login" and then the module would use a form with #https = TRUE. In theory :)

thanks for the very helpful info renee!

i'm having to launch my website for business reason in the next month..so i'm guessing i will have to start with d6 and port my site to d7 when it is stable =/

so...

i don't understand where this issue is at now ;)

i won't fix the issue in 6.x, and i have no idea if secure pages is going to be supported for 7.x. if it's not, then this would be a feature request to add secure pages support to LT? and if not i guess it's a bug report.

guess for now i'll call it a bug report, and postpone any activity on it until the fate of secure pages is known.

Since the last post, #14, work on porting Secure pages to 7 has been underway, but only has a dev release so far.
The issue tracking progress is #952820: Drupal 7 port

It may be enough to reopen exploration of the issues here. Tentatively marking active.

Subscribing.

I think this is worth exploring as there's a securepages version for D7. The challenge is having an api that allows an external module like securepages to flag that it has requirements that LT should pay attention to.

For Drupal 6 you can user hook_form_alter and check for the 'user_login' form_id then do:

      if (!securepages_is_secure()) {
        securepages_goto(TRUE);
      }

So basically any time a user login form is displayed, the user will be redirected to https.

I haven't checked Drupal 7 but I'm sure you could pretty much do exactly the same.

This code could be placed in the secure pages module. I don't think it should be up to the Logintoboggan module to do this redirect.

I'm using both modules and I getting this error when a user registers or log in, but it doesn't happen always, only sometimes.

500 Service unavailable (with message)

Any ideas? I'm pulling my hair out trying to find out where the issue is coming from.

I just tried on fresh Drupal 7 instance to install both Logintoboggan and Secure Pages. I configured Logintoboggan as follows:

1. Allow users to login using email address
2. Override destination parameter (previous two fields in Redirections are empty)
3. Present login form on access denied (403)
4. Display login successfull message

As far as Secure pages, default settings (including the one whcich lists two form names: user_login and user_login_block).

Website is configured to use mixed mode (http and https). /user is by default on https.
I made two nodes: one published and one unpublished. Going as anonymous to published, all ok. Going as anonymous to unpublished node, I am presented login block form, but on HTTP, it didn't respect move to https. So, I confirm this is still an issue and can be easily reproduced.

Is there any progress about this? I am willing to test out patches on vanilla instance.