HTTPS

The 443 Session module makes using HTTPS on your site simple. It is most useful for doing mixed HTTPS where some pages are sent via HTTP, and others via HTTPS. It can be used to protect credit card transactions or to protect against session hijacking (via tools such as Firesheep).

It also provides an API for designating if a page should be transmitted via HTTP or HTTPS.

How is this different from...

Setting up rewrite rules in .htaccess

While in theory it is possible to do this, it turns out to be very complicated once you consider things like login forms, canonical URLs, and AJAX. Nor is this method very robust - if $base_path changes, or if a login-block is added to a new page suddenly your site is no longer secure without any indication or warning.

Secure Pages module

In Drupal 6 Secure Pages module can only redirect users based on the URL path. This means that it cannot protect against session hijacking. You can use Secure Pages to protect URLs such as user* and admin* however this only gives the impression of security - it does little to keep data on these pages actually secure since any man-in-the-middle will have your PHP session cookie. Secure Pages is also not compatible with internationalization (i18n).

Secure Login module

Secure Login module cannot redirect authenticated users back to HTTPS if they accidentally visit a page via HTTP. Nor can it enforce a canonical URL for anonymous users. Nor can it be used to protect additional paths (such as a shopping cart). Secure Login only has partial support for internationalization (i18n).

443 Session module combines the best parts from both of the above modules.

Status for Drupal 7

Drupal 7 core uses different session cookies for HTTP/HTTPS (which share the same session in Drupal). This eliminates the most serious risks of session hijacking. Secure Pages D7 module also offers the ability to enforce authenticated users to use only HTTPS. However it is currently somewhat buggy. But fixing those bugs will be less effort than porting 443 Session to D7 (and reduce module duplication). Therefore 443 Session will not be ported to D7.

Limitations

Since 443 Session module uses separate session cookies for HTTP/HTTPS this means that when a user navigates from an HTTP page to an HTTPS page any session data will appear to be lost. This makes this module unsuitable for running an e-commerce site where most pages are HTTP except for the checkout which is HTTPS. In this case the user's cart contents would appear to be lost when they go to checkout. For this scenario please see the Mixed Session module.

More information about HTTPS

See
Enabling HTTP Secure (HTTPS)

Developed by

Dave Hansen-Lange
Advomatic LLC
http://advomatic.com

Kevin Mathis
http://www.laudr.com

Project Information

Downloads