Download & Extend
Secure Login » Issues

better separation of secure and insecure login modes

Posted by leop on January 30, 2008 at 5:50pm
Project:Secure Login
Version:5.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

Here is a patch that solves two problems:

  1. The Secure Login module requires the user to make changes to settings.php in order to refer users to the insecure page. In this patch I propose a solution that uses hook_init() to change the $base_url variable depending on whether a login attempt was performed. To make this work, an additional (hidden) field was added to the login forms. In this fashion the settings.php file doesn't have to be modified anymore.
  2. When a user logged on from a secure site, while the $base_url was set to the insecure site, the user would be redirected to the insecure site. In the patch this is solved. Users logging in on the secure site will always be redirected to the secure site,while users logging in on the insecure site can be redirected to the insecure site when this option is enabled. Redirecting users to the insecure site when necessary can be be enabled or disabled from the securelogin administration page.

The only thing that needs to be solved to make this module perfect is:

http://drupal.org/node/177495

but this is really hard because there is no hook that can be called on unsuccessful logins.

Login or register to post comments

Comments

#1

Posted by leop on February 12, 2008 at 2:10pm

And the patch...

AttachmentSize
securelogin.patch 4.13 KB

#2

Posted by leop on February 14, 2008 at 2:35pm

Actually, there was a much simpler (and better) way to implement this patch. Referring users back to the original host after sending the password to the secure host is now better implemented. For example, if the user logs on from http://mysite.com, the password will be sent using https://mysite.com, and the user can be redirected to the original address at http://mysite.com, depending on the admin settings. If the user logs on from https://mysite.com, the password will be sent using https://mysite.com, and the user will stay in https://mysite.com.

Also, it is not necessary anymore to actually specify the secure hostname; if it is not specified, the https version of the current host ($base_url) will be used. This allows for accessing the website under multiple hostnames (aliases), however the secure hostname and the insecure hostname must still match. To achive this, leave the secure URL field in the administrative page empty.

Furthermore http://drupal.org/node/177495 is partially solved, because a successful login after an unsuccessful login attempt will lead to the original host.

#3

Posted by leop on February 14, 2008 at 2:39pm

again something went wrong with uploading the patch. Here it is.

AttachmentSize
securelogin_#2.patch 6.53 KB

#4

Posted by leop on February 14, 2008 at 5:39pm

Oh no, #'s are not allowed in the filename. So again, here is the new patch...

AttachmentSize
securelogin2.patch 6.53 KB

#5

Posted by avf on April 14, 2008 at 2:30pm

This is now implemented. Thanks for the patch! I've also decided to completely remove the secure base URL setting. Hopefully no-one will complain. :-)

#6

Posted by avf on April 14, 2008 at 2:31pm
Status:needs review» closed (fixed)

Close.