For sites that are available via both HTTP and HTTPS, Secure Login module ensures that the user login and other forms are submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in the clear. Secure Login module locks down not just the user/login page but also any page containing the user login block, and any other forms that you configure to be secured.
For Drupal 7 and 8, Secure Login module enforces secure authenticated session cookies, thus preventing session hijacking. For previous versions of Drupal, PHP's session.cookie_secure flag must be enabled on the HTTPS site to enforce secure session cookies.
A word about Drupal 7's
Secure Login is intended for sites that want to offer anonymous sessions via HTTP or HTTPS and authenticated sessions only via HTTPS. Anonymous insecure sessions are migrated to authenticated secure sessions upon login, with all session data intact. Secure Login is designed to work with Drupal 7's
$conf['https'] at its default value,
If you were to change
TRUE, you would enable mixed-mode (HTTPS and HTTP) authenticated sessions: both secure and insecure session cookies are set when a user logs in to the HTTPS site. Other contributed modules, such as Secure Pages, may assist you with implementing mixed-mode authenticated sessions.
Installing this module resolves most mixed-content warnings that appear on Drupal 8 sites available via both HTTP and HTTPS. You will also need to set the public file base URL in your settings.php file to use the secure base URL:
$settings['file_public_base_url'] = 'https://www.example.org/sites/default/files'; and, to resolve CORS errors, add an
Access-Control-Allow-Origin: * header to resources such as fonts served from the HTTPS site.
Note that currently in Drupal 8, unlike Drupal 7, anonymous insecure sessions are not migrated to authenticated secure sessions upon login; instead, a new session is created.
Pro tip: HSTS
- Maintenance status: Actively maintained
- Development status: Under active development
- Module categories: Security, User Access & Authentication
- Reported installs: 10,050 sites currently report using this module. View usage statistics.
- Downloads: 56,380
- Automated tests: Enabled
- Last modified: January 13, 2016