1. How to test enforced redirection for the ?q=user page, so that even if a web site normally runs on HTTP, it will always use HTTPS (SSL) on the login page?

2. The user creation and user account pages should also be under enforced SSL.

3. What about sites that have login on the front page, and the front page does not use SSL? How to ensure that the username and password is sent securely?

Comments

rentex’s picture

I

rentex’s picture

Which rule to use in the htaccess-file if I want only the login-page to be under https?
How exactly would the final result look like, after the relevant rule was applied correctly?
And if I also want the registration page to be under https?

This is how far I came, but I didn't get it working yet

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule http://www.the-URL-I-want-to-be-redirected/user https://www.the-URL-I-want-it-to-redirect-to/user [L,R=301]

Greatfull if anyone could help:-)

jhm’s picture

the following works for me (using a login url).

  RewriteCond %{HTTPS} on
  RewriteCond %{REQUEST_URI} !^/login$ 
  RewriteCond %{QUERY_STRING} !^q=login
  RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [L]
  
  RewriteCond %{HTTPS} off
  RewriteCond %{REQUEST_URI} ^/login$ 
  RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,QSA]
mnystedt’s picture

I'm struggling with I think the same issue. I want basically login and anything that's done while logged in (I think) to be done on https but not regular browsing by those not logged in, if that makes sense.

//Magnus

rentex’s picture

That would be interesting to know how to do: SSL (https) only while logged in.

But I only want SSL while I login (the password/username which is transmitted over the internet is the only thing I'd like to be under encryption).

grcm’s picture

You need to set up HTTPS serving on your web host first. That's a complex procedure, but there are lots of howtos out there.

Then block /user through .htaccess or Apache conf files for the non-HTTPS connection. That's easy.

The hard bit will be setting up HTTPS and then persuading Drupal to work over it. (relative links &c.)

Probably easier to accept the fact that interception is VERY unlikely, or write a custom login module which uses HTTPS frames.

-- Version Control your Drupal web site with The File High Club's Free Trial!

rentex’s picture

Thank you.

HTTPS/SSL is ready on my server, and it's fully functional.

How to block /user through .htaccess or Apache-conf-files for the non HTTPS connection (does this also redirect those who go at http://.../.../user to HTTPS)? Could you please post an example-rule (piece of code) that actually works in combination with Drupal?

Bèr Kessels’s picture

An issue, with patches. http://drupal.org/node/1577 to make this easier in Drupal
A howto, very detailed and very good: http://drupal.org/node/53567
---
Professional | Personal
| Sympal: Development and Hosting