The user login block has an unusual behavior, in that it's #action is not fixed. Rather, it POSTs the password to URLs like /node/1?destination=node/1. As a result it can't currently be matched by a securepages pattern. The usual workaround is to disable the login block, and instead provide a secure link to example.com/user.

This simple patch uses hook_form_alter to fix the login block.

CommentFileSizeAuthor
#7 securepages_login_block.patch-new.txt547 bytestolimar
#2 secure_login_block_securepages.module.patch593 bytesñull
securepages_login_block.patch.txt618 bytesgrendzy

Comments

ñull’s picture

ñull commented
Status: Needs review » Needs work

This patch is not sufficient for certain circumstances. I noticed that the login block is still "unsafe" on access denied.

ñull’s picture

ñull commented
StatusFileSize
new secure_login_block_securepages.module.patch593 bytes

Attached a modification the seems to correct the problem.

ñull’s picture

ñull commented
Status: Needs work » Needs review
mcgyver5’s picture

mcgyver5 commented

the patch does a search for "http" and replaces it with "https" I suspect most people will have relative paths and so the patch will fail as it did for us.

shap’s picture

shap commented

On the site that I am currently assembling, I adopted the following approach:

1. Restrict the login block to the main page.
2. Add "user" (as opposed to "user/*") to the list of protected pages.

The latter was good enough to catch attempts to go to site/user and site/. In the default setup, those both offer a login page. Obviously I'm going to change the front page, but I will probably have a login link that simply links to [site]/user.

This approach made it unnecessary to protect the login form specifically, since the default "post" action posts to the "current" site.

One thing I have not (yet) checked. My current site does not have base_url set. If that is set, it may get placed in the post action for the user-login form, and then I'll have to do something about it.

drdrup’s picture

drdrup commented
Version: 4.7.x-1.x-dev » 5.x-1.x-dev

shap: What do you mean by "1. Restrict the login block to the main page."?

Is it by setting the "User login" block to "Show on only the listed pages" and adding "" to the list of Pages?
[BTW: by doing so, I thought that the "User login" block WILL show in the home (main) page, but I see that it is not so. The blcok does not show at all; Why?]

Or did you mean "Restrict the login block so it will ot show on the main page"?

[This thread was marked as 4.7.x-1.x-dev; I am now using 5.x-1.x-dev (2007.06.18) so I changed the version in the project info. If it is indeed for 4.7.x, please change it back, and I am sorry for my confusion]

tolimar’s picture

tolimar commented
StatusFileSize
new securepages_login_block.patch-new.txt547 bytes

Hi!

Many thanks for the patch; solved the problem for me. However, to get it to work with 5.x-1.7 I needed to adopt it a bit. It's attached; maybe it's usefull for someone else?

Best regards,
Alexander

grendzy’s picture

grendzy commented
Status: Needs review » Fixed

securepages_prevent_hijack is now available for D5, which provides this enhancement as a module.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

gittosj’s picture

gittosj commented
Version: 5.x-1.x-dev » 6.x-1.9
Component: Code » Miscellaneous
Category: feature » task

I had a custom login block which I'd patched together from the work of several other users and wanted to keep so I tweaked it to submit via https - i"m sure purists won't like the fact that users are unaware that its submitted via a secure connection - I'm just happy its a bit more secure. Let me know if you can spot any flaws but it works for me and does use SSL as well as being (IMHO) prettier and easier than the default login block:

<?php
global $user;
global $base_url;
$base_url = str_replace("http","https",$base_url);
?>
<div class="content" id="user-login-form">
  <form action="<?php print "{$base_url}/user/login/?".drupal_get_destination();?>" accept-charset="UTF-8" method="post">
    <div class="form-item" id="edit-name-wrapper">
    <ul>                
      <li><input type="text" maxlength="60" name="name" id="edit-name" size="15" value='Username' onfocus="if(this.value==this.defaultValue)this.value='';" onblur="if(this.value=='')this.value=this.defaultValue;" class="form-text required" /></li>
    </ul>
    </div>
     <div class="form-item" id="edit-pass-wrapper">
       <ul>
         <li><input type="password" name="pass" id="edit-pass" maxlength="60" size="15" value='Password' onfocus="if(this.value==this.defaultValue)this.value='';" onblur="if(this.value=='')this.value=this.defaultValue;" class="form-text required" /><input type="hidden" name="form_id" id="edit-user-login" value="user_login" />
<input type="submit" name="op" class="form-submit" id="edit-submit" value="Login" src="/submit.png" alt="Submit" /></li>
       </ul>
       </div>
<!-- Remove below if you don't use persistent login ---->
<div class="form-item" id="edit-persistent-login-wrapper">
<ul>
   <li><label class="option" for="edit-persistent-login"><input type="checkbox" name="persistent_login" id="edit-persistent-login" value="1" class="form-checkbox"/>Remember me</label></li>
</ul>
</div>
<!--- End of remove --->
 </form>
</div>
<div class="login-links"> 
    <ul>
    <li><a href="/user/register">Free Registration</a></li>
    <li><a href="/user/password">Forgotten Password?</a></li>
     </ul>
 </div>
AlexisWilke’s picture

AlexisWilke commented

Thank you tolimar!

Adding 3 lines of code to the Secure Pages is more sensible than adding yet another module!

Alexis