I propose a patch for the secure login module that implements several features:

  • If the secure hostname is not set (= empty) in the administrative page, the https version of the current hostname the user is at, is used. Of course it is still possible to specify a different URL.
  • It is possible to access the website under multiple hostnames (aliases), and use the https version of each alias for logging on. To achieve this, leave the secure URL field in the administrative page empty.
  • Users can be referred back to the URL from which the login attempt originated. This setting can be enabled or disabled from the administrative page. Editing settings.php to set the $base_url is not necessary anymore.
  • A check is performed whether secure hostname and the insecure hostname match for security reasons.
  • A successful login after an unsuccessful login attempt will lead to the original host (partially solves http://drupal.org/node/177495).
  • Permission to edit the secure login administrative page is changed from 'access administration pages' into 'administer site configuration'.

Note that several premature versions of this patch are in http://drupal.org/node/215949.

CommentFileSizeAuthor
#1 securelogin.patch6.83 KBleop

Comments

leop’s picture

leop commented
StatusFileSize
new securelogin.patch6.83 KB
avf’s picture

avf commented
Status: Needs review » Closed (fixed)

I've changed the access permissions; everything else seems to have been covered by http://drupal.org/node/215949/ . Thanks!