Drupal 6 - Secure a Webform with SSL in mixed-mode while maintaining a positive user experience

Securing a webform is easy using a module such as Session 443 or Secure Pages but what about scenarios where a user abandons the form and browses the site using the primary or secondary menu. If you don't have the menu interaction planned out correctly they could end up receiving insecure content warnings and may even abandon the site altogether. Another scenario is when a user submits the form, do they continue to a confirmation page in SSL mode? This too can create problems with the user receiving insecure content warnings. Drupal's API makes it possible for UX professionals to create the best user experience. So below are a couple snippets for Drupal 6 that will solve these specific use cases with no additional modules. These snippets assume you have secured your webform with Session 443 or Secure Pages modules but theirs no dependencies on either.

First lets look at the first function that will alter the primary menu links. This function is called "THEME_NAME_menu_item_link($link)" and needs to be placed in "template.php" in your theme folder. Replace THEME_NAME with the name of your theme. This function defines the navigation menus, and route page requests to code based on URLs.

function THEME_NAME_menu_item_link($link) {
 global $base_path;
 $base_scheme = 'http';
 $base_menu_url = $base_scheme .= '://' . $_SERVER['HTTP_HOST'] . $base_path . $link['href'];
 
  if (empty($link['localized_options'])) {
    $link['localized_options'] = array();
  }
 
  $attributes = array();
 
  // set link title
  if ($link['description']) {
    $attributes['title'] = $link['description'];
  }
  
  if ($link['title'] != 'Title Name') {
  $link['href'] = $base_menu_url;
  }
 
  $link['localized_options']['attributes'] = $attributes;
  //print '<pre>'. check_plain(print_r($link, 1)) .'</pre>';
 
  return l($link['title'], $link['href'], $link['localized_options']);
}

Basically whats happening here is the function forces all primary links to use the HTTP protocol except for the link that has a title matching the string "Title Name". The string for the title should match the "Menu Link Title" you gave your webform link in the admin menu interface. If you don't have a link to your webform in your primary menu then you can remove the "if" statement and force all links to use HTTP.

The next two functions will deal with the webform. These functions are "hook_form_alter" and "hook_form_submit" and need to be placed in a custom module. Replace MODULE_NAME with the name of your module and replace webform_client_form_248 with the correct Form ID.

function MODULE_NAME_form_alter(&$form, &$form_state, $form_id) {
switch ($form_id) {

case 'webform_client_form_248':

$form['#action'] = url($_GET['q'], array('https' => TRUE, 'absolute' => TRUE));
	  
$form['#submit'][] = 'webform_248_form_submit';
	  
break;

}

}

This function ensures your form action is sent securely over HTTPS and calls another function to deal with the form submission.

function MODULE_NAME_form_submit($form, &$form_state) {
 $node = $form['#node'];
 global $base_path;
 $base_scheme = 'http';
 $base_redirect_url = $base_scheme .= '://' . $_SERVER['HTTP_HOST'] . $base_path;

 if (isset($form_state['values']['details']['sid']) && $node->nid == '248') {
    $sid = $form_state['values']['details']['sid'];
    $form_state['redirect'] = $base_redirect_url . 'node/248/done?sid=' . $sid;
 }
 
}

This function changes your submit handler to redirect users to the confirmation page using the HTTP protocol so users can continue browsing in insecure mode after submitting the form.