Drupal login and SSL

After the last article, I discovered that the Drupal framework, while it works perfectly within a SSL context provides little in the way of helping developers direct their users into the secure site. In our application we provide some content to the public at large, but we also require the majority of the site in a private context. This proved challenging because we didn’t want the expense of redirecting the common Joe Browser into the SSL when their casual experience wouldn’t require the overhead. Fortunately, after my last lesson in mod_rewrite I figured a clever approach to pushing authenticated users into the secure context.

RewriteCond %{REQUEST_URI} ^/user
RewriteCond %{SERVER_PORT} ^80$
RewriteCond ^(.*)$ https://example.com/$1 [L,R]

Since Drupal uses the same login section of the site, I was able to push the user under SSL when they went to log in. This doesn’t necessarily prevent them from dropping out of SSL when theyenter the site, but it does mean that they will end up in the right place at the outset.

May 3rd, 2008 | Programming

3 comments

Thanks for the post, it was helpful.

I noticed a typo, the last line should be RewriteRule instead of RewriteCond

Comment by Josh — July 12, 2009 @ 6:04 pm

Arian,
Thanks for your comment. You win the cookie for the first real comment here. I’ll also look into the cookie differences. I too noticed that the cookie session is valid for both SSL and non-SSL sessions, which I agree is a pretty big problem. I’ll follow up on your links after a bit more research.

Thanks again.

Comment by Erik — October 28, 2008 @ 9:19 am

Doing mixed ssl/non-ssl session via Secure Pages module or writing your own mod_rewrites think there is an outstanding issue with drupal mixed sessions. When use ssl/and non-ssl for other pages, the secure session cookie isnt secure after the login, as it will be used in the non-ssl pages.
One might set php’s session.cookie_secure sends cookies only over secure connections, but that means after logging in and going back to http, the cookie isnt transfered and user is anonymous, i think breaking any community functionality.

seems like one solution is to use ssl on whole site. another is to use Secure Pages patch listed on 2nd site, so ssl uses ssl cookie, and non-sll sends another cookie over network.

http://heine.familiedeelstra.com/security-theater-dail-ssl-for-login
http://www.opensourcery.com/blog/dylan-tack/improving-security-drupals-securepages-module

Comment by Arian — October 28, 2008 @ 8:42 am