I want to protect all sensitive forms on the site, including the user login block. I also want to redirect certain forms -- i.e. user/*, etc, because people expect it. But I don't want to redirect all other pages to https prior to the user being logged on. Generally there might be a login form on each page, and redirecting to https prevents varnish from being involved.

I can't imagine a settings page for this that's not ugly, but it'd be nice to be able to granularly choose which forms trigger redirection.

Comments

mfb’s picture

Yes, for now you have to just link to the login page. And you could load the login form via ajax request. Admittedly I have tried to keep the module pretty simple so far.

Nephele’s picture

Title: More granularity for redirect » Dealing with themes that show a login block on every page

I experienced the same problem (and based on other issues we're not the only ones). The theme on our site has a drop-down login block on every page of the site, so enabling the securelogin module effectively turned our site into an https-only site for both logged-in and anonymous users.

I considered whether to turn off securelogin's redirect for the user login block: to have the block be displayed on http pages and instead only use https for submitting its form results. I believe that's the type of feature that's being proposed here. However, I then discovered why having https forms embedded in http pages would be a bad idea. The same would be true if the login form is added by ajax. So I don't know that there's any way to do what's being asked here -- namely to securely have a login block on every page without redirecting every page to https.

In case it helps anyone else, I'm now trying a different approach. I'm only putting a login block on pages if the user is already using https. On any http page, I'm replacing the login block with a link to the login page. Hopefully with a bit of education, our site's editors will switch to bookmarking https pages, and they'll continue to have a convenient built-in login option -- but typical site readers who don't plan to log in can continue to use http pages.

I accomplished this change by editing the block--user.tpl.php file in our custom theme's template directory, using the global variable $is_https to control what gets displayed. Since it's done at the template level, securelogin still thinks that there is a user login form on every page. However, I now know that my theme is ensuring the security of that block (and I know that this theme is the only one on my site to use the user login block). So I can safely turn off securelogin for that one block (at admin/config/people/securelogin, I can uncheck "User login block form" in the Required Pages section).

mfb’s picture

This is some code I find useful for a login link in the header and on the 403 page - it allows the user to be redirected to the current page after logging in: l('My site login', 'user', array('query' => drupal_get_destination(), 'external' => FALSE));

Anonymous’s picture

The suggestion in #2 works... my variation would be to disable the login block form in the settings and call the form with https/ajax to bring it back on to every page.

In my case I had this issue because we're using the login block rendered as a link so at first I didn't even see that there was a login form! Since it is just a link I disabled the login block from performing this action.

@mfb and other maintainers: this is a wonderful module. Thanks. Really good approach.

mfb’s picture

Status: Active » Closed (works as designed)

Closing this as it seems like it can be resolved by only displaying the login block on certain pages, and otherwise displaying a link to the login page. If someone has another idea, feel free to re-open.

roball’s picture

Title: Dealing with themes that show a login block on every page » All pages having the User login block enabled as "Link" block type are forced to https
Version: 7.x-1.x-dev » 7.x-1.4
Category: Feature request » Bug report
Issue summary: View changes
Status: Closed (works as designed) » Active

Even when core's User login block setting Block type is set to Link (and not to Standard or Collapsible form), all http pages with this block on it are forced to https, effectively turning the entire site to https-only when the block is enabled on all pages.

mfb’s picture

Category: Bug report » Support request
Status: Active » Fixed

As Ryan mentioned above, just uncheck "User login block form" on Secure Login settings and clear your browser cache.

roball’s picture

Alright, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.