By steve02476 on

There's no data on my site that needs security, and 99% of the access is by anonymous guests. But, for the few people who sign on to the site to create and edit content, I'd like to protect their passwords, which I guess are transmitted in the clear right now.

How can I make sure that logins are done using encrypted transmission for the passwords, as well as when they setup their passwords in the first place or change them? I don't want a solution to affect the 99% of anonymous guests, and I'd rather a solution not affect registered users, either, except when dealing with passwords.

Any advice on a simple way to deal with this? Thanks!

Categories: Drupal 6.x

Comments

greg.1.anderson’s picture

greg.1.anderson commented

If you use the secure pages and secure pages hijack prevention, you can easily achieve your goals.

In the secure pages config, set up the non-secure base URL the same as you have it in settings.php, and make the secure base url point to an appropriate https url. If you also turn on the secure pages hijack prevention module, then the login form will always be submitted via https, even if it appears on an http-served page. Secure pages even has an option that will allow you to go back to http pages for URLs that do not match the security pattern. You probably want the admin / user pages to always be https too, so that user password changes cannot be observed.

There is one slight drawback to having the login form on an http page and the login form submitted by https. In this configuration, if you use a self-signed certificate, you will get the "invalid certificate error" (warning) from the browser when you submit your username and password. In my experience, some users see the error message, don't read the dialog and assume that the system is telling them that they cannot log on. To avoid that problem, you pretty much need to buy a certificate from a certificate authority (or educate all of your users). I'm in a situation similar to yours; I have very few authenticated users, so I am opting for the later option.

- Greg

greg.1.anderson’s picture

greg.1.anderson commented

If you use the OpenID module, then your users would authenticate with a username / password managed by another service. In this scenario, you probably wouldn't even need to configure SSL for your site at all.

I haven't used OpenID myself yet, but it might do the trick for you.

- Greg