Hello,
I have been trying to secure my site, but I am running into a few critical issues that are preventing the site from being functional/secure.
My site is http://carbonpig.com
What I'm trying to do
I'm trying to make all of my admin, login, ubercart payment and checkout, user*, logout, etc. (i.e., pages with forms/input fields) pages secure.
I'm trying to enforce/guarantee that my homepage, "article*" pages, and other designated content types are not secure because the google adsense ads won't appear on the https:// (secure) pages.
The Issue(s) I'm Facing
I've found that if you login in an http:// environment and then go to your account page in an https:// environment that it doesn't acknowledge that you're logged in as an authenticated user and vice versa; logging in via secure http and then going to an unsecure page.
This is important because it is affecting my dropdown menus and node tabs as follows:
-If you log in at https://carbonpig.com/user/login everything looks fine and all the desired pages are secure.
-Then, if you then navigate to an article page, as I want, the https:// changes to http://. This is important because we need the ads to show.
-However, as mentioned, the site no longer recognizes the user as being logged in. Therefore, the dropdown menus no longer show any links that are restricted to the role that you are loggen in as, and the view and edit tabs disappear from the article page.
What I've Tried
I've tried both the secure pages (official and dev) and secure role modules alone and in tandem to try and engineer a solution. I thought maybe I would just designate certain pages for certain roles to be secure and all pages for my "publisher" role (they can write articles), so that I could have the edit tab show up on article pages...needless to say it didn't do what I was expecting (i.e. the secure role module didn't take precedent over secure pages.
I always flush all caches and when I've tried different module versions I do a complete uninstall from my modules page and at the database level in the system table.
I've tried ticking and checking every box including manually defining the options for:
-Make secure every page except the listed pages. and
-Make secure only the listed pages.
I've also tried pulling my hair out and cursing Drupal, but that didn't work, because deep down, I love Drupal.
What I'm Hoping For
1. A simple solution, that isn't currently in the que.
or
2. Someone to emerge that understands php and Drupal more than myself that can help troubleshoot this in a skype call for free.
or
3. Number two, but I can pay a modest amount because I'm a poor environmentalist hoping to build a really great site.
Lastly
I've disabled the module for now so that the core functionality is back up. If someone is willing to help please email me via Drupal with ideas or reply to this post and I'll enable during a scheduled time.
Thanks,
CarbonPig
Comments
Comment #1
Garrett Albright commentedCould you clarify why you feel it's necessary to use a secure connection in the first place? Do you simply want user login to be encrypted?
Comment #2
CarbonPig commentedHi Garrett,
Yes exactly - I want login to be encrypted, but I'm also launching an ubercart store for an organic clothing line that supports renewable energy development. I will be accepting credit cards, hence security is critical. I believe this necessitates https:// security.
If you have any suggestions/ideas that underly your question I would be very grateful to hear. I've read a significant amount of documentation about security within drupal.org and it seems that secure pages (with hijack prevention module) and secure role are the best practice. Please correct me if I'm wrong on needing https://.
I'm relatively novice when it comes to php, but I've been working to learn drupal for 2 years now.
Thanks for your help,
CarbonPig
Comment #3
Garrett Albright commentedHmm, sounds like you're in a tough spot. Is simply not displaying ads for logged-in users an option?
Comment #4
CarbonPig commentedHi Garrett,
True - tough spot.
Not displaying ads for logged in users is not really an option. Users earn "Pounds of CO2" (i.e. userpoints module) that they can cash in when checking out in Ubercart. Therefore, I need people logged in as often as possible to earn points when reading and commenting on posts.
I'm a bit confused why folks haven't run into this issue more often.
Any ideas on how to proceed securing the site?
Thanks ahead of time for any insight. I'm at a loss right now on what to do.
Cheers,
CarbonPig
Comment #5
CarbonPig commentedHi Garrett,
True - tough spot.
Not displaying ads for logged in users is not really an option. Users earn "Pounds of CO2" (i.e. userpoints module) that they can cash in when checking out in Ubercart. Therefore, I need people logged in as often as possible to earn points when reading and commenting on posts.
I'm a bit confused why folks haven't run into this issue more often when securing a site that has adsense ads.
Any ideas on how to proceed securing the site?
Thanks ahead of time for any insight. I'm at a loss right now on what to do.
Cheers,
CarbonPig
Comment #6
tinker commentedSounds like a sessions problem. When you login securely drupal creates a secure session and cookie. When you navigate to a non SSL page it cannot read the secure session and assumes you are logged out.
Are you using Secure Pages Hijack Prevention? - http://drupal.org/project/securepages_prevent_hijack
This is an add-on to the Secure Pages module that will prevent hijacked sessions from accessing SSL pages, yet still allow users to stay logged in when browsing non-SSL pages.
Comment #7
astonvictor commentedI'm closing it because the issue was created a long time ago without any further steps.
if you still need it then raise a new one.
thanks