Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently, the login toboggan block, which is very convenient, is not secure unless you happen to be on a page that's already secure. It would be great if secure pages had a way to make logins secure with this block.
Comments
Comment #1
hunmonk CreditAttribution: hunmonk commentedthe LT login block is merely an extension of core's login block, so i'm not sure why it's not working in this case.
Comment #2
bejayoharen CreditAttribution: bejayoharen commentedThanks for your reply. I suppose it my complaint may also apply to built-in login block. The trouble is that it will only be secure if the page is secure to begin with. Perhaps I could add
*destination=*
to my list of pages that need to be made secure, but it's unclear to me if that would really work, or if it would try to submit the form data to http first, or if it would have other, undesired consequences. I'll give it a shot and see what I can see. Anyway, I am changing this to a support request since it sounds like there is some way to do it. Thanks again!
Comment #3
bejayoharen CreditAttribution: bejayoharen commentedVariations on *destination*, including *?destination* and *?destination=* didn't work. Instead, they did things like make my whole site except the logins https. This is quite unexpected! Perhaps it's because of how Drupal inserts securepages and autopath or something. Anyway, any advice appreciated, but the login block is not a critical feature for me, and doesn't even work great with safari, so I'm happy to turn it off.
BTW, before I found securepages, I tried doing what securepages does with .htaccess, and I'm not a web guy, but I'm a programmer, so I figured I could figure it out, but I couldn't! it never worked (nevermind the issue of sending insecure data before being redirected -- it just plain didn't work!) So thanks for this module!
Comment #4
oliverpolden CreditAttribution: oliverpolden commentedFor Drupal 6 you can user hook_form_alter and check for the 'user_login' form_id then do:
So basically any time a user login form is displayed, the user will be redirected to https.
I haven't checked Drupal 7 but I'm sure you could pretty much do exactly the same.
Comment #5
gordon CreditAttribution: gordon commentedI have not changed this specifically, but what I have done is allow you to enter in a list of form_ids which will be posted to secure pages.
see commit 165e476ba642cd9f34aa4ff7bd2cc8cb91fa3927
Comment #6
gordon CreditAttribution: gordon commentedNeeds backporting to 6.x-2.x
Comment #7
rakun CreditAttribution: rakun commented#5 Not work for me. I enter in "Secure Forms" -> "user_login", and it works on /user, but does not work on Login Toboggan login block na "Access Denied" pages.
Comment #8
mikeskull CreditAttribution: mikeskull commentedRandomly looking into a problem im having elsewhere with securepages and the 403 login redirect module but spotted this issue. Are you sure you dont need:
user_login
user_login_block
in that field.
Comment #9
rakun CreditAttribution: rakun commentedYea, i have
user_login
user_login_block
but not working.
Comment #10
mikeskull CreditAttribution: mikeskull commentedPrint $form_id in form_alter out on that page, check the form ID is what you think it is maybe?
Comment #11
rakun CreditAttribution: rakun commentedIn mean time this issue disapear. I am positive about form ids, and also positive that https didn't work on "access denied pages". I am not sure why this works now, but possible does not have problem with secure pages. If i figure out what was the issue I will post here.