Secure Login

For sites that are available via both HTTP and HTTPS, Secure Login module ensures that the user login and other forms are submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in the clear. Secure Login module locks down not just the user/login page but also any page containing the user login block, and any other forms that you configure to be secured.

For Drupal 7 and 8, Secure Login module enforces secure authenticated session cookies, thus preventing session hijacking by eavesdroppers. For previous versions of Drupal, PHP's session.cookie_secure flag must be enabled on the HTTPS site to enforce secure session cookies.

Drupal 7

Secure Login is intended for sites that want to offer anonymous sessions via HTTP or HTTPS and authenticated sessions only via HTTPS. Anonymous insecure sessions are migrated to authenticated secure sessions upon login, with all session data intact. Secure Login is designed to work with Drupal 7's $conf['https'] setting at its default value, FALSE.

If you were to change $conf['https'] to TRUE, you would enable mixed-mode (HTTPS and HTTP) authenticated sessions: both secure and insecure session cookies are set when a user logs in to the HTTPS site. Other contributed modules, such as Secure Pages, may assist you with implementing mixed-mode authenticated sessions.

Drupal 8

Note that currently in Drupal 8, unlike Drupal 7, anonymous insecure session data is not migrated to an authenticated secure session upon login; instead, an empty secure session is created.

In addition, currently the secure base URL setting may not be applied to form actions, due to changes and inconsistencies in how form action URLs are generated in Drupal 8. If you need to use the secure base URL setting because you do not have an SSL certificate for all of your base URLs, you may need to leave the redirect setting enabled to ensure that the secure base URL setting is used.

Pro tip: HSTS

To help protect against SSL stripping attacks, add the Strict-Transport-Security header in your webserver configuration or install HSTS module, and add your domain to the browser HSTS preload list.

Credits

Secure Login module is maintained by mfb. The Drupal 7 and 8 versions of Secure Login were developed by mfb, along with other contributors from the community.

Project Information

Downloads