By Dave Cohen on

Can I force all users with administrative priveleges to always use SSL (HTTPS)?

Let's say that http://mysite and https://mysite both point to the same drupal installation. Can I somehow enforce this logic?

if (access over HTTP (not HTTPS)) {
  if (current user has admin role) {
    either goto https site or deny access
  }
}

I can come up with the exact PHP code, but where do I put it?

Similarly, could I restrict access to user 1 (the "superuser") to only be from a certain machine (or only via http://localhost/...)?

I saw this conversation related to HTTP vs HTTPS: http://drupal.org/node/9309, but it does not address this question.

Thanks for any help.

Comments

Dave Cohen’s picture

Dave Cohen commented

I'm going to answer my own question. I've been playing with the HTTPS only functionality, and here's what I have so far. This module assumes you have a drupal site visible both over HTTP and HTTPS. (See http://drupal.org/node/6554).

To restrict some users to HTTPS only, enable this module, then go to settings->user_deny and really enable it. Then any user with 'HTTPS login only' permission will be able to log in over HTTPS only. To be safe, you should be accessing the site by HTTPS when you do all this (otherwise you may be denying yourself access).

I may add more functionality to the user_deny module. For instance allowing some users to access the site only from some IP addresses. If there is much interest I will post updates here and/or move the project into cvs.

/*
@file
user_deny module

Denies otherwise authorized users under special circumstances.

Implemented so far:
* allow some users over HTTPS only (not HTTP)

@author David Cohen

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
*/

define('HTTPS_ONLY', 'HTTPS login only');

function user_deny_help($section = 'admin/help#user_deny') {
  $output = '';

  switch ($section) {
    case 'admin/modules#description':
      $output = t('Restrict some users to login over HTTPS only.');
      break;
     case 'admin/help#user_deny':
      $output .= "<p>Requires users with ".HTTPS_ONLY." permission to login over HTTPS.</p>";
      break;     
  }
  return $output;
}

/* Implementation of hook_settings */
function user_deny_settings() {
  $output .= form_checkbox(t('Enable HTTPS only'), 'user_deny_https_enabled', 1, variable_get('user_deny_https_enabled', 0), t('Restrict some users to HTTPS only login.  Note: next time uid 1 logs in, it must be over HTTPS!'));
  
  $output .= form_textfield(t('Login denied page'), 'user_deny_page', variable_get('user_deny_page', ''), 70, 180, t('Denied users are forwarded to this URL.'));
  return $output;
}

/* Implementation of hook_perm */
function user_deny_perm() {
  if (variable_get('user_deny_https_enabled', 0)) {
	return array(HTTPS_ONLY);
  }
}

/* Implementation of hook_user */
function user_deny_user($type, &$edit, &$user, $category = FALSE) {

  // This is a bit of a hack.  Ideally, Drupal would have an 'auth'
  // hook which would allow us to deny a user.  Instead, we rely on
  // the login callback.  We are called after the user is logged in,
  // so to deny access we immediately log them out and do our best to
  // forward them to a page with an explanatory message.

  if ($type == 'login') {
	if (variable_get('user_deny_https_enabled', 0) &&
		$_SERVER['HTTPS'] != 'on' &&
		user_access(HTTPS_ONLY, $user)) {
	  // user has HTTPS_only restriction, but not using HTTPS!
	  // watchdog
	  watchdog('security', t('User %name allowed over HTTPS only.', 
						 array('%name' => theme('placeholder', $user->name))));
	  // 2nd message to user
	  drupal_set_message(t('Access restriction in effect.'));
	  
	  // used in user_logout()
	  $_REQUEST['destination'] = variable_get('user_deny_page', '');
	  $_REQUEST['edit']['destination'] = $_REQUEST['destination'];
	  // log em out
	  user_logout();
	}
  }
}

/* Implementation of hook_menu 
(This could be done in hook_init instead)
*/
function user_deny_menu($may_cache) {
  /*In case a link brings a user from HTTPS to HTTP, deny all access */
  if (!$may_cache) {
	if (variable_get('user_deny_https_enabled', 0) &&
		$_SERVER['HTTPS'] != 'on' &&
		user_access(HTTPS_ONLY, $user)) {
	  // user has HTTPS_only restriction, but not using HTTPS!
	  // watchdog
	  watchdog('security', t('User %name allowed over HTTPS only.', 
								array('%name' => theme('placeholder', $user->name))));
	  drupal_access_denied();
	  die();
	}
  }
}
bit2’s picture

bit2 commented

It seems to me that this module does not really help in improving security of a Drupal site. The main advantage of restricting users to HTTPS access could be that they login through a secure channel. However ... if a user loads the login page through HTTP and submits the login form, then the username and password is already sent through the network in cleartext at the time this module is called. So what's the point of the module? What additional security is gained by using this module?

The other problem that I found is in the implementation. I didn't actually test it, but the reference to the variable $_SERVER['HTTPS'] is not safe. It is not assured that the $_SERVER variable has an element with an index "HTTPS". Eg. on my site the admin has installed a separate Apache for serving HTTP requests and a separate Apache for serving HTTPS requests. The former has no mod_ssl and as such the $_SERVER variable does not have an element with index "HTTP". My site is available both through HTTP and HTTPS, but in case of HTTP an access to the $_SERVER['HTTPS'] variable raises an error.
So you should check for existence of that index in the array before referencing it.

Something like this:

(...)
    if (
      variable_get('user_deny_https_enabled', 0)
      && (
        !isset($_SERVER['HTTPS']
        || $_SERVER['HTTPS'] != 'on'
      )
      && user_access(HTTPS_ONLY, $user)
    ) {
(...)