Currently, the login toboggan block, which is very convenient, is not secure unless you happen to be on a page that's already secure. It would be great if secure pages had a way to make logins secure with this block.

Comments

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented

the LT login block is merely an extension of core's login block, so i'm not sure why it's not working in this case.

bejayoharen’s picture

bejayoharen CreditAttribution: bejayoharen commented
Category: feature » support

Thanks for your reply. I suppose it my complaint may also apply to built-in login block. The trouble is that it will only be secure if the page is secure to begin with. Perhaps I could add
*destination=*
to my list of pages that need to be made secure, but it's unclear to me if that would really work, or if it would try to submit the form data to http first, or if it would have other, undesired consequences. I'll give it a shot and see what I can see. Anyway, I am changing this to a support request since it sounds like there is some way to do it. Thanks again!

bejayoharen’s picture

bejayoharen CreditAttribution: bejayoharen commented

Variations on *destination*, including *?destination* and *?destination=* didn't work. Instead, they did things like make my whole site except the logins https. This is quite unexpected! Perhaps it's because of how Drupal inserts securepages and autopath or something. Anyway, any advice appreciated, but the login block is not a critical feature for me, and doesn't even work great with safari, so I'm happy to turn it off.

BTW, before I found securepages, I tried doing what securepages does with .htaccess, and I'm not a web guy, but I'm a programmer, so I figured I could figure it out, but I couldn't! it never worked (nevermind the issue of sending insecure data before being redirected -- it just plain didn't work!) So thanks for this module!

oliverpolden’s picture

oliverpolden CreditAttribution: oliverpolden commented

For Drupal 6 you can user hook_form_alter and check for the 'user_login' form_id then do:

      if (!securepages_is_secure()) {
        securepages_goto(TRUE);
      }

So basically any time a user login form is displayed, the user will be redirected to https.

I haven't checked Drupal 7 but I'm sure you could pretty much do exactly the same.

gordon’s picture

gordon CreditAttribution: gordon commented
Version: 6.x-1.x-dev » 7.x-1.x-dev
Category: support » feature
Status: Active » Fixed

I have not changed this specifically, but what I have done is allow you to enter in a list of form_ids which will be posted to secure pages.

see commit 165e476ba642cd9f34aa4ff7bd2cc8cb91fa3927

gordon’s picture

gordon CreditAttribution: gordon commented
Version: 7.x-1.x-dev » 6.x-2.x-dev
Status: Fixed » Patch (to be ported)

Needs backporting to 6.x-2.x

rakun’s picture

rakun CreditAttribution: rakun commented
Issue summary: View changes

#5 Not work for me. I enter in "Secure Forms" -> "user_login", and it works on /user, but does not work on Login Toboggan login block na "Access Denied" pages.

mikeskull’s picture

mikeskull CreditAttribution: mikeskull commented

Randomly looking into a problem im having elsewhere with securepages and the 403 login redirect module but spotted this issue. Are you sure you dont need:

user_login
user_login_block

in that field.

rakun’s picture

rakun CreditAttribution: rakun commented

Yea, i have

user_login
user_login_block

but not working.

mikeskull’s picture

mikeskull CreditAttribution: mikeskull commented

Print $form_id in form_alter out on that page, check the form ID is what you think it is maybe?

rakun’s picture

rakun CreditAttribution: rakun commented

In mean time this issue disapear. I am positive about form ids, and also positive that https didn't work on "access denied pages". I am not sure why this works now, but possible does not have problem with secure pages. If i figure out what was the issue I will post here.