After the last article, I discovered that the Drupal framework, while it works perfectly within a SSL context provides little in the way of helping developers direct their users into the secure site. In our application we provide some content to the public at large, but we also require the majority of the site in a private context. This proved challenging because we didn’t want the expense of redirecting the common Joe Browser into the SSL when their casual experience wouldn’t require the overhead. Fortunately, after my last lesson in mod_rewrite I figured a clever approach to pushing authenticated users into the secure context.
RewriteCond %{REQUEST_URI} ^/user
RewriteCond %{SERVER_PORT} ^80$
RewriteCond ^(.*)$ https://example.com/$1 [L,R]
Since Drupal uses the same login section of the site, I was able to push the user under SSL when they went to log in. This doesn’t necessarily prevent them from dropping out of SSL when theyenter the site, but it does mean that they will end up in the right place at the outset.
May 3rd, 2008 | Programming
Arian,
Thanks for your comment. You win the cookie for the first real comment here. I’ll also look into the cookie differences. I too noticed that the cookie session is valid for both SSL and non-SSL sessions, which I agree is a pretty big problem. I’ll follow up on your links after a bit more research.
Thanks again.
Comment by Erik — October 28, 2008 @ 9:19 am