Closed (fixed)
Project:
Secure Login
Version:
7.x-1.4
Component:
Code
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
17 May 2012 at 20:22 UTC
Updated:
1 Feb 2014 at 21:40 UTC
Jump to comment: Most recent
Comments
Comment #1
mfbYes, for now you have to just link to the login page. And you could load the login form via ajax request. Admittedly I have tried to keep the module pretty simple so far.
Comment #2
Nephele commentedI experienced the same problem (and based on other issues we're not the only ones). The theme on our site has a drop-down login block on every page of the site, so enabling the securelogin module effectively turned our site into an https-only site for both logged-in and anonymous users.
I considered whether to turn off securelogin's redirect for the user login block: to have the block be displayed on http pages and instead only use https for submitting its form results. I believe that's the type of feature that's being proposed here. However, I then discovered why having https forms embedded in http pages would be a bad idea. The same would be true if the login form is added by ajax. So I don't know that there's any way to do what's being asked here -- namely to securely have a login block on every page without redirecting every page to https.
In case it helps anyone else, I'm now trying a different approach. I'm only putting a login block on pages if the user is already using https. On any http page, I'm replacing the login block with a link to the login page. Hopefully with a bit of education, our site's editors will switch to bookmarking https pages, and they'll continue to have a convenient built-in login option -- but typical site readers who don't plan to log in can continue to use http pages.
I accomplished this change by editing the block--user.tpl.php file in our custom theme's template directory, using the global variable $is_https to control what gets displayed. Since it's done at the template level, securelogin still thinks that there is a user login form on every page. However, I now know that my theme is ensuring the security of that block (and I know that this theme is the only one on my site to use the user login block). So I can safely turn off securelogin for that one block (at admin/config/people/securelogin, I can uncheck "User login block form" in the Required Pages section).
Comment #3
mfbThis is some code I find useful for a login link in the header and on the 403 page - it allows the user to be redirected to the current page after logging in:
l('My site login', 'user', array('query' => drupal_get_destination(), 'external' => FALSE));Comment #4
Anonymous (not verified) commentedThe suggestion in #2 works... my variation would be to disable the login block form in the settings and call the form with https/ajax to bring it back on to every page.
In my case I had this issue because we're using the login block rendered as a link so at first I didn't even see that there was a login form! Since it is just a link I disabled the login block from performing this action.
@mfb and other maintainers: this is a wonderful module. Thanks. Really good approach.
Comment #5
mfbClosing this as it seems like it can be resolved by only displaying the login block on certain pages, and otherwise displaying a link to the login page. If someone has another idea, feel free to re-open.
Comment #6
roball commentedEven when core's User login block setting Block type is set to Link (and not to Standard or Collapsible form), all http pages with this block on it are forced to https, effectively turning the entire site to https-only when the block is enabled on all pages.
Comment #7
mfbAs Ryan mentioned above, just uncheck "User login block form" on Secure Login settings and clear your browser cache.
Comment #8
roball commentedAlright, thanks!