' . t("Secure Login redirects any forms with passwords to a secure address so that the password is not sent in cleartext. If you want the user to be redirected back to the insecure site after the password is sent securely, you need to set \$base_url in settings.php to your insecure URL.") . '
' . t("Secure Login redirects any forms with passwords to a secure host address so that the password is not sent in cleartext. Users that log in can be redirected to the original host address after the password is sent securely.") . '
'; break; } @@ -33,7 +33,7 @@ function securelogin_menu() { 'description' => t("Change secure login settings"), 'callback' => 'drupal_get_form', 'callback arguments' => 'securelogin_admin', - 'access' => user_access('access administration pages'), + 'access' => user_access('administer site configuration'), 'type' => MENU_NORMAL_ITEM ); @@ -47,15 +47,21 @@ function securelogin_admin() { global $base_url; - $defurl = preg_replace('@^http://@', 'https://', $base_url); + $sec_url = preg_replace('@^http://@', 'https://', $base_url); $form['securelogin_baseurl'] = array( '#type' => 'textfield', '#title' => t("Base URL for secure site"), - '#default_value' => variable_get('securelogin_baseurl', preg_replace('@^http://@', 'https://', $base_url)), + '#default_value' => variable_get('securelogin_baseurl', ''), '#size' => 50, '#maxlength' => 300, - '#description' => t("The base URL at which the site can be accessed securely (no trailing slash), e.g. " . $defurl . ". The hostname must match the hostname of the insecure URL, and in most cases, you will want the directory to match also (particularly if you haveRewriteBase set).")
+ '#description' => t("The base URL at which the site can be accessed securely, e.g. " . $sec_url . ". The hostname must match the hostname of the insecure URL, and in most cases, you will want the directory to match also (particularly if you have RewriteBase set). If you don't specify a secure base URL, the https:// version of the URL the user is currently at will be used. For example, if your website is accessible under multiple hostnames, leave this box empty, and the user will be referred to the https:// version of the URL for each hostname.")
+ );
+ $form['securelogin_redirect_original'] = array(
+ '#type' => 'checkbox',
+ '#title' => t("Redirect to original location"),
+ '#default_value' => variable_get('securelogin_redirect_original', TRUE),
+ '#description' => t("Users that log in from another address than the secure URL specified above will be redirected to the original site after the password is sent securely when this option is enabled. For example, if the user logs on at " . preg_replace('@^https://@', 'http://', $base_url) . ", the password will be sent over $sec_url, but the user will be redirected to " . preg_replace('@^https://@', 'http://', $base_url) . " after that. Note that an error message will be shown if redirect is enabled and the secure hostname (specified above) and original hostname don't match."),
);
$form['securelogin_loginform'] = array(
'#type' => 'checkbox',
@@ -84,15 +90,62 @@ function securelogin_admin() {
*/
function securelogin_form_alter($form_id, &$form) {
+ global $base_url;
+
if( ($form_id == 'user_login_block' && variable_get('securelogin_loginform', TRUE) == TRUE)
|| ($form_id == 'user_login' && variable_get('securelogin_loginform', TRUE) == TRUE)
|| ($form_id == 'user_edit' && variable_get('securelogin_editform', TRUE) == TRUE)
|| ($form_id == 'user_register' && variable_get('securelogin_registerform', TRUE) == TRUE)
- ) {
- // Strip trailing slash from base_path
- $base = substr(base_path(), 0, -1);
- $form['#action'] = preg_replace('@^' . $base . '@', variable_get('securelogin_baseurl', $base), $form['#action']);
+ ) {
+
+ // get secure server location from admin settings or if it is not set, construct it from current $base_url (with http:// replaced by https://)
+ $constructed_secure_url = preg_replace('@^http://@', 'https://', $base_url);
+ $admin_secure_url = rtrim(variable_get('securelogin_baseurl', $constructed_secure_url), '/');
+ $secure_url = ($admin_secure_url) ? $admin_secure_url : $constructed_secure_url;
+
+ // get current path, and strip trailing slash
+ $base = rtrim(base_path(), '/');
+
+ // the original url
+ $original_url = isset($_REQUEST['secure_login_original_url']) ? $_REQUEST['secure_login_original_url'] : $base_url;
+
+ // (re)set form values
+ $form['#action'] = preg_replace('@^' . $base . '@', $secure_url, $form['#action']);
+
+ $form['secure_login_request'] = array(
+ '#type' => 'hidden',
+ '#value' => 1,
+ '#id' => 'secure_login_request_id',
+ );
+
+ $form['secure_login_original_url'] = array(
+ '#type' => 'hidden',
+ '#value' => $original_url,
+ '#id' => 'secure_login_original_url_id',
+ );
}
} // function securelogin_form_alter
+/**
+* Set the $base_url back to the value it had before sending the login request if the admin settings require so.
+* Also check if the host names match for security reasons. If not, don't refer to the new host, and display an error message.
+*/
+function securelogin_init() {
+
+ global $base_url;
+
+ if (isset($_REQUEST['secure_login_request']) && variable_get('securelogin_redirect_original', TRUE)) {
+ $new_base_url = $_REQUEST['secure_login_original_url'];
+
+ // If the host names don't match, don't go to the original url, and show an error message instead
+ // You can solve this problem by either disabling securelogin_redirect_original in the admin panel, or leaving the securelogin_baseurl field empty
+ if (preg_replace('@^http://@', 'https://', $base_url) != preg_replace('@^http://@', 'https://', $new_base_url)) {
+ drupal_set_message(t('The system setting specify you should be referred to the original website after your login information was processed, but the hostnames are incompatible. Please contact the system administrator about this problem.'), 'error');
+ }
+ else {
+ $base_url = $new_base_url;
+ }
+ }
+} // function securelogin_init
+
?>