Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
We love this module, especially for how simple it is to configure. Is there a way to make the redirect from CAS always return to the SSL version of the page? We have the redirect going to but that doesn't infer ssl.
Thanks
Comments
Comment #1
metzlerd CreditAttribution: metzlerd commentedI typically force SSL just by altering the base url in my settings.php file, but secure pages and other modules can also help here, or were you looking for something mores specific. Much depends on how you have your site site set up as to whether you get redirected to a secure page or not.
Comment #2
metzlerd CreditAttribution: metzlerd commentedFYI: Also there's no strong reason to have the redirection be SSL except for when going to the cas server (which is always enforced). So the question about ssl is really about the confidentiality of the content that's on your site.
Dave
Comment #3
sher1 CreditAttribution: sher1 commentedSo to give details but not overdo, we have a page that shows additional info if you are logged in and that additional info has to be protected by SSL. Since we don't want to get mixed content pages or allow for injecting bad js in with the non-ssl content, we have to secure the whole thing. I actually have my base_url set to the ssl version of the site but that doesn't seem to make any difference. I will take a look and see if there are any things I should be doing differently with the base_url. Thanks for the quick reply. I will report back what I find in case anyone else ever needs this.
Comment #4
bfroehle CreditAttribution: bfroehle commentedI think this could be accomplished in 6.x-3.x by implementing
hook_cas_phpcas_alter()
.The code would need to be something like:
Comment #5
bfroehle CreditAttribution: bfroehle commentedI recently was faced with a similar task and ended up opting for the simplest solution which was to just put everything under the SSL umbrella.
Has anybody else figured out a good solution?
Comment #6
sher1 CreditAttribution: sher1 commentedSo, what I ended up doing was this. On the top of the page-front.tpl.php I have
To clarify, the first condition checks to see if you are logged in. The second checks to see if we are already using SSL by looking for the header variable HTTP_X_HTTPS which is set by our reverse proxies. The result of a true (we are both logged in and not already ssl) is a call to my redirectToHTTPS function that looks like this:
Hope that is useful to someone else.
Comment #7
bfroehle CreditAttribution: bfroehle commentedI added a link to this issue in the CAS documentation. Note, however, that this approach may still be susceptible to hijacked sessions --- see http://drupal.org/project/securepages_prevent_hijack for more info.