By Feathers McGraw on

Hi all,

Former WordPress user here. My old site used to redirect unauthenticated users to HTTP, which was quite handy for making sure search engines don't index https:// as well as http:// versions of pages and penalise you for duplicate content.

I think it may have been achieved using mixed mode authentication cookies, which I'm not using in Drupal (authentication cookie is secure only)... but I'm not sure.

I tried this in my VirtualHost config file to redirect unless the secure session cookie is present:

RewriteCond %{HTTP_COOKIE} !^SSESS612cb529d2dfaadfff38b8731a3a4c8a
RewriteCond %{THE_REQUEST}     !user [NC]
RewriteRule ^/(.*)          http://www.samhobbs.co.uk/$1 [R=permanent,L]

which seems to work - it redirects to http unless the secure cookie is present or the requested url contains "user", but seems to have some issues if you log out and don't clear the cache (redirect loop).

I feel like there's probably a better way of doing it, and I've searched but I can't find it. Most searches turn up questions about redirecting users to a page immediately after they log in, which is not what I'm after.

Is there an internal Drupal mechanism that will do this for me?

Many thanks,

Feathers McGraw

Categories: Drupal 7.x

Comments

peterjlord’s picture

peterjlord commented

https://drupal.org/project/securepages

I think there are options in the module to redirect by permission.

Peter J Lord
http://peterjlord.co.uk

Feathers McGraw’s picture

Feathers McGraw commented

Thanks, I didn't know securepages was capable of this.

I've not yet tried installing securepages because there's no stable release for Drupal 7, and the instructions seem to require patching drupal core (does this not count as "hacking core"?).

Have you used the module in D7? Perhaps I was being over-cautious.

jamix’s picture

jamix commented

If your sole intent is to prevent search engines from indexing HTTPS pages, one way to achieve this is to add this meta tag to your HTTPS pages:

<meta name="robots" content="noindex, nofollow" />

This can be done by overriding YOURTHEME_html_head_alter() in your theme's template.php as follows:

function mytheme_html_head_alter(&$head_elements) {
  global $is_https;

  if ($is_https) {
    // Add the "noindex, nofollow" robots meta tag.
    $head_elements['mytheme_robots'] = array(
      '#type' => 'html_tag',
      '#tag' => 'meta',
      '#attributes' => array('name' => 'robots', 'content' => 'noindex, nofollow'),
    );
  }
}
Feathers McGraw’s picture

Feathers McGraw commented

Thank you, I'll look into using this.

About 80% of the reason was to stop search engines indexing the HTTPS version, so this might do it.

The other 20% was because I'm using a CAcert signed SSL certificate, so I'm pretty sure the only people using the HTTPS version of the site apart from me are spam bots and web crawlers - I imagine most casual visitors don't have the CAcert root certificate installed and would get a warning if they tried using the HTTPS version.

Thanks again!