I would like to request that an SSL option be added to this module. Would it be possible to have a check box for each webform that when checked would substitute an "https:..." URL for the specific webform you want protected (because it is sending personal/confidential information). Would the submission of the data need to be SSL'd further?

Perhaps this could be enabled/disabled as a feature in the configuration options for the module?

This would be very helpful! Or perhaps this should be in a seperate module?

Comments

quicksketch’s picture

quicksketch
he/him
commented

I'm not sure what it is you are requesting. As far as I know, making submissions 'secure' wouldn't have anything to do with the way webform works. Although the submissions *could* be encrypted by webform, I think that you're referring to secure http (like for credit cards and secure information). In which case you'd need a valid certificate from VeriSign or another major vendor. I'm not a security expert, but I believe this is the functionality you are requesting. Let me know if I'm mistaken in some way.

bomarmonk’s picture

bomarmonk commented

You are correct that SSL service is provided seperately from Drupal and its modules. However, if this service is available, it would be great if there was an easy way to redirect the URL of a webform so that the submission of data is encrypted (a checkbox to put the htts in front of the URL).

If this could be a seperate module, that would be grand (I think I should be able to figure out how to edit the .htaccess file to achieve this as well). However, it also seems like a nice option to have built into webform (but I am perhaps asking for a feature that would burden an already complex module)

quicksketch’s picture

quicksketch
he/him
commented

Ah, yes I think see what you're saying now. Let's run through a use-case scenario:

  1. You have a Drupal website and valid signed certificate to use https when necessary, but the entire website is not accessed through https
  2. A user clicks on a link to a webform that needs to be secure
  3. The user is automatically directed to a https address of the form, even if the link was to an http address
  4. The user fills out the form, clicks submit
  5. The form is sent to the server securely over SSL
  6. Upon completion a confirmation message is displayed to the user
  7. The next link clicked by the user re-enters the http website

Does this sound like the situation? I think that making webforms handle switching the user to https would be outside the feature-set of this module. However, we should make sure that webforms handles this scenario should the site administrator set it up (probably using .htaccess as you suggested). Right now, webforms would work well if the form sent to a completion page, but if the admin entered a web address to forward the user to upon completion, webforms would kick the user out of https before displaying a confirmation message. Something that would actually be quite secure, but scary to the end user.

I'll fix this issue shortly, basically by allowing the admin to enter a https address into the redirect URL. Right now it only accepts http addresses.

bomarmonk’s picture

bomarmonk commented

Terrific: I appreciate your attention and your efforts. I hadn't even gotten that far yet, if you know what I mean. Thanks again.

quicksketch’s picture

quicksketch
he/him
commented
Status: Active » Closed (works as designed)

I was mistaken earlier. Webform already checks addresses against drupal's "valid_url" function, which allows https addresses and http addresses. You should be good to go with creating forwarding rules in .htaccess.