Download & Extend
LoginToboggan » Issues

Logintoboggan and Secure Pages module

Posted by zbricoleur on September 16, 2009 at 9:24pm
Project:LoginToboggan
Version:7.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

I'm seeing some unexpected interaction--or rather, lack of interaction--between these two modules.

I have the most recent version of both modules enabled. I have Secure Pages configured so that all pages of the pattern user* are redirected through SSL. It works fine if someone goes to http://example.com/user --they get redirected to https://example.com/user

In logintoboggan, I have it set to Present login form on access denied (403). Looking just a little at the code in logintoboggan.module, I would kind of expect the SSL redirect to work when some one gets an access denied message--but it doesn't.

I tried including logintoboggan/denied in the list of pages for Secure Pages to redirect, but that doesn't work either.

These are both great modules. But it would be even greater if they would cooperate! Any help appreciated.

Login or register to post comments

Comments

#1

Posted by zbricoleur on September 16, 2009 at 9:27pm

I should add that I found a similar issue posted in the Secure Pages issue queue, without resolution: http://drupal.org/node/345740

#2

Posted by hunmonk on September 17, 2009 at 11:52am
Status:active» postponed

unfortunately, LT currently uses some dark magic to perform those access denied redirects, so i'm guessing Secure Pages never gets properly notified of the actual page that's being loaded.

i don't see any way to fix this without a redesign of the way LT does it, and currently i'm not even seeing a way to do that without limiting some of the functionality that currently exists.

i'm not willing to break things in a stable branch, so this will have to be addressed in 7.x...

if somebody is willing to dig through the Secure Pages code and find a properly Drupal way expose what LT is doing, so that Secure Pages can pick up on it, then i would be willing to look at a patch for that. post it here if so.

#3

Posted by hunmonk on October 9, 2009 at 12:49am
Version:6.x-1.5» 7.x-1.x-dev
Status:postponed» active

#4

Posted by YK85 on February 5, 2010 at 1:15am

subscribing

#5

Posted by ShannonK on February 5, 2010 at 1:17am

Subscribing

#6

Posted by Bilmar on March 2, 2010 at 8:06am

subscribing

#7

Posted by YK85 on March 10, 2010 at 6:51am

Hi, I was wondering if a user registers/logins without Secure Pages module or Secure Login module that LoginToboggan is not keeping the password data etc safe? I would like to keep security high for pages that deal with sensitive info such as passwords. I would like to learn more about how LoginToboggan does this. Thanks!

#8

Posted by hunmonk on March 10, 2010 at 7:25am

i certainly wouldn't consider myself an expert in this area, but anything transmitted via http:// is open to sniffing, and via https:// should be secure. therefore, the login process should be done over an https:// connection. like drupal core, LT has nothing to do with this, it needs to be implemented via other means.

#9

Posted by YK85 on March 10, 2010 at 8:42am

ahh I see, thanks for the explanation!

I wish compatibility with Secure Pages module would be possible in Drupal 6, but, as you made clear it will only be for Drupal 7, I look forward to following this into D7 =)

Thanks!

#10

Posted by hunmonk on March 10, 2010 at 3:55pm

let's be clear -- i said i would *look* at it for 7.x. there is no promise of a fix for this issue in 7.x and beyond.

i have enough commitments already... ;)

#11

Posted by YK85 on March 10, 2010 at 11:48pm

definitely understand =)
your hard work is very much appreciated!

#12

Posted by Reinette on March 11, 2010 at 9:11pm

As I understand it, D7 API support SSL out of the box. The only thing needed is to tell the form to be HTTPS, and D7 does some magic in the background, now, to handle a lot of the initiation that was done in securepages (it sets two cookies for mixed mode stuff, but config of what's what still needs a module, natch). The issue is here: http://drupal.org/node/1577 - t'was committed to head, and around 2/3rds of the way down are details. It looks like all you'd need is an admin checkbox "force SSL login" and then the module would use a form with #https = TRUE. In theory :)

#13

Posted by YK85 on March 11, 2010 at 11:45pm

thanks for the very helpful info renee!

i'm having to launch my website for business reason in the next month..so i'm guessing i will have to start with d6 and port my site to d7 when it is stable =/

#14

Posted by hunmonk on March 12, 2010 at 12:33am
Category:support request» bug report
Status:active» postponed

so...

i don't understand where this issue is at now ;)

i won't fix the issue in 6.x, and i have no idea if secure pages is going to be supported for 7.x. if it's not, then this would be a feature request to add secure pages support to LT? and if not i guess it's a bug report.

guess for now i'll call it a bug report, and postpone any activity on it until the fate of secure pages is known.

#15

Posted by steveparks on April 30, 2011 at 12:08am
Status:postponed» active

Since the last post, #14, work on porting Secure pages to 7 has been underway, but only has a dev release so far.
The issue tracking progress is #952820: Drupal 7 port

It may be enough to reopen exploration of the issues here. Tentatively marking active.

#16

Posted by Leeteq on July 14, 2011 at 11:48am

Subscribing.

nobody click here