Default options don't secure login?
fletchgqc - May 31, 2008 - 15:09
| Project: | Secure Pages |
| Version: | 6.x-1.x-dev |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | reviewed & tested by the community |
Description
I just enabled the module and noticed by default there is a config line to secure the url:
user/*
On my site I log in by visiting /user - which is the sort of "default" isn't it? Anyway I was able to log in without encountering an HTTPS page. So I changed the config to user* and now I can only log in over HTTPS. Shouldn't this setting be in the defaults? Isn't that the first thing you would want to secure?
#1
I assume you log in through user because you've disabled the login block ?
do you get an https when using the block ?
#2
1. Yes, correct.
2. Haven't tried, it's not really relevant for me.
#3
while it may not be relevant for you, it is relevant to the request and your question about whether or not it should be a default setting.
#4
How would I secure login with this module?
#5
I'd think you would want to investigate the securelogin.module
#6
Or just add /user to the pages to be viewed over HTTPS.
#7
Automatically closed -- issue fixed for 2 weeks with no activity.
#8
The v6.x-1.7 release secures the user/* pages by default.
#9
"user/*" does not match "user"
The ideal solution would be two lines:
user/*
user
#10
fletchgqc: Correct. I've attached a tiny patch for the D6 branch to add it in. It also separates the main admin page vs the sub-pages, to have them listed in the same format.
#11
I applied the patch listed in comment #10 to version 6.x-1.8 of the module. It applied without any trouble and appears to work as advertised. I think it is an important patch because someone who just accepts the defaults after installing this module could easily be under the mistaken impression that user logins are secure, when they may not be.