This is a great module. It answers a lot of security questions I've had about Drupal.

However, I've noticed that it does not support URL aliases in the list of pages that use/don't use SSL. I have come custom node types that are restricted to certain users. I'd like to be able use a SSL connection when those users with the appropriate permissions access these nodes in "view" mode.

I'd unselect "switch back to http" to solve the problem - but really affects performance. Also, if an non-registered site visitor accidently goes to "user/login", they'll have a secure connection for the rest of the time they are on the site.

Thanks,
-S

Comments

wishcow’s picture

I wrote a quick solution for this. In the securepages.module file (I actually added this to drupal 5),
in the securepages_init function, I added 2 lines, which fixed the problem:

function securepages_init() {
...
$path = $_GET['q'];
$page_match = securepages_match($path);
// PATCH:
if (!$page_match)
$page_match = securepages_match(request_uri());
...
}

This checks the external url if the internal url failed in the match.
I am new to Drupal, so I don't know how to write patches yet, I will post one as soon as I can.

wishcow’s picture

Eek, sorry, made a mistake.
You need to remove the heading "/" character first.

$page_match = securepages_match(ltrim(request_uri(), "/"));

schnuckovic’s picture

I found this working better when you have your drupal installation not at the host's root:

$page_match = securepages_match($path);

if (!$page_match){
$page_match = securepages_match(drupal_get_path_alias($path));
}

I'm currently testing on the server, so the URL is http://example.com/test/, thus request_uri() still contains the 'test' part in my example.

Not sure how this works if there's various aliases to a node.

Shouldn't this feature be part of the module?

schnuckovic’s picture

I found this working better when you have your drupal installation not at the host's root:

$page_match = securepages_match($path);

if (!$page_match){
$page_match = securepages_match(drupal_get_path_alias($path));
}

I'm currently testing on the server, so the URL is http://example.com/test/, thus request_uri() still contains the 'test' part in my example.

Not sure how this works if there's various aliases to a node.

Shouldn't this feature be part of the module?

schnuckovic’s picture

this:

if (!$page_match){
$page_match = securepages_match(drupal_get_path_alias($path));
}

seemed to work at the beginning, but then I found out that the call to drupal_get_path_alias() throws an error sometimes that it's not available.

I'm using a different approach now. I'm back to the original settings in the secure_pages module and added this line to my settings.php:

ini_set('session.cookie_secure', 1);

The login is secure and the session will be valid for https only with this setting. As soon as the users tries to request a page using http she gets logged out.

It's not 100% what I wanted, but now I can be sure that the pages that only some authenticated users are allowed to see are always encrypted.

grendzy’s picture

Status: Active » Closed (won't fix)

automatically closed - The 4.7 branch is no longer supported. If this issue is present in a currently supported version, please change the version field and re-open. Thanks!

seanberto’s picture

Sure, Grendzy, close out my tickets without love. ;)

Hope all is well.
-sean