Security

A port of the Joomla module as well as the DynamicDrive silent no right click script code.

[COMING VERY SOON]

This project will enable you to be automatically signed on on websites that are linked with a broker website, I am writing the whole thing out as an article on my website.

The Mixed Session module enables mixed HTTP(S) sessions for a site, securely and without loss of session data. The phrase "mixed sessions" refers to providing, with respect to a user visiting a site, some content over an insecure (HTTP) connection and other content over a secure (HTTPS) connection. For example, a shopping site may prefer to display product content in insecure mode (HTTP) while being able to protect sensitive content (e.g credit card details and authenticated user account information) using secure mode (HTTPS). The use of mixed sessions adds complications such as preserving session data (e.g. a cart ID) across session mode and protecting against session hijacking (with tools such as Firesheep). This module addresses both concerns.

The Mixed Session module protects against session hijacking by regenerating session IDs on step up and step down (i.e. switching between HTTP and HTTPS), providing a configuration switch to stay secure once having entered secure mode, and exposing more built-in, configurable redirect rules. This module also declares two API hooks through which a developer can incorporate more complex redirect rules. Protection applies to anonymous and authenticated users.

How is this different from...

Diceware.module adds a block with diceware password samples to the site.

Provides captcha and honeypot protection to the 'user registration' and 'password reset' forms for Open Atrium sites.

Sessions that expire - in a user-comfy manner

Role-based session expiration/prolongation

Drupal 7's default session settings make sessions live almost indefinitely - that may present security and performance issues.
State get's round the problem by combining roles with user-activitity sensing and AJAX calls.
Sessions may still continue indefinetely for some kinds of users
- say non-logged-in visitors to your web shop.

No need to change settings in the site's settings.php file

State may effectively - if configured so on it's settings page - override the sessions settings of settings.php (since State v. 2.0).

Good bye to 'form expired'

And no visitor will ever encounter 'form expired' upon posting a form again.
State will warn the user, if the current page has hung around too long.

Set Drupal messages that survive user logout

state_set_message('Tell the user why she/he got logged out...');

Is current request a page or an AJAX request?

state_is_page_request();
State provides simple means for checking and counting requests, by type.

Safe and easy session variables

Drupal provide no means for securing against session variable collisions.