Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. For Drupal 7, Secure Login module also enforces secure authenticated session cookies, thus preventing session sidejacking. For previous versions of Drupal, PHP's session.cookie_secure flag must be enabled on the HTTPS site to enforce secure authenticated sessions.
A word about Drupal 7's $conf['https'] setting
Secure Login is intended for sites that want to offer anonymous sessions via HTTP and authenticated sessions via HTTPS. Anonymous insecure sessions are migrated to authenticated secure sessions upon login, with all session data intact. Secure Login is designed to work with Drupal 7's $conf['https'] setting at its default value, FALSE.
If you were to change $conf['https'] to TRUE, you would enable mixed-mode (HTTPS and HTTP) authenticated sessions: both secure and insecure session cookies are set when a user logs in to the HTTPS site. Other contributed modules, such as Secure Pages, may assist you with implementing mixed-mode authenticated sessions.
Secure Login is currently maintained by mfb.
Project Information
- Maintenance status: Actively maintained
- Development status: Under active development
- Module categories: Security, User Access & Authentication
- Reported installs: 2298 sites currently report using this module. View usage statistics.
- Last modified: January 28, 2011
