Comments on: Drupal login and SSL http://kire.notneb.net/archives/10 On the bleeding edge of yesterday. Wed, 07 Dec 2011 21:31:23 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Josh http://kire.notneb.net/archives/10/comment-page-1#comment-43 Josh Mon, 13 Jul 2009 02:04:26 +0000 http://kire.notneb.net/?p=10#comment-43 Thanks for the post, it was helpful. I noticed a typo, the last line should be RewriteRule instead of RewriteCond Thanks for the post, it was helpful.

I noticed a typo, the last line should be RewriteRule instead of RewriteCond

]]> By: Erik http://kire.notneb.net/archives/10/comment-page-1#comment-31 Erik Tue, 28 Oct 2008 16:19:32 +0000 http://kire.notneb.net/?p=10#comment-31 Arian, Thanks for your comment. You win the cookie for the first real comment here. I'll also look into the cookie differences. I too noticed that the cookie session is valid for both SSL and non-SSL sessions, which I agree is a pretty big problem. I'll follow up on your links after a bit more research. Thanks again. Arian,
Thanks for your comment. You win the cookie for the first real comment here. I’ll also look into the cookie differences. I too noticed that the cookie session is valid for both SSL and non-SSL sessions, which I agree is a pretty big problem. I’ll follow up on your links after a bit more research.

Thanks again.

]]> By: Arian http://kire.notneb.net/archives/10/comment-page-1#comment-30 Arian Tue, 28 Oct 2008 15:42:44 +0000 http://kire.notneb.net/?p=10#comment-30 Doing mixed ssl/non-ssl session via Secure Pages module or writing your own mod_rewrites think there is an outstanding issue with drupal mixed sessions. When use ssl/and non-ssl for other pages, the secure session cookie isnt secure after the login, as it will be used in the non-ssl pages. One might set php's session.cookie_secure sends cookies only over secure connections, but that means after logging in and going back to http, the cookie isnt transfered and user is anonymous, i think breaking any community functionality. seems like one solution is to use ssl on whole site. another is to use Secure Pages patch listed on 2nd site, so ssl uses ssl cookie, and non-sll sends another cookie over network. http://heine.familiedeelstra.com/security-theater-dail-ssl-for-login http://www.opensourcery.com/blog/dylan-tack/improving-security-drupals-securepages-module Doing mixed ssl/non-ssl session via Secure Pages module or writing your own mod_rewrites think there is an outstanding issue with drupal mixed sessions. When use ssl/and non-ssl for other pages, the secure session cookie isnt secure after the login, as it will be used in the non-ssl pages.
One might set php’s session.cookie_secure sends cookies only over secure connections, but that means after logging in and going back to http, the cookie isnt transfered and user is anonymous, i think breaking any community functionality.

seems like one solution is to use ssl on whole site. another is to use Secure Pages patch listed on 2nd site, so ssl uses ssl cookie, and non-sll sends another cookie over network.

http://heine.familiedeelstra.com/security-theater-dail-ssl-for-login
http://www.opensourcery.com/blog/dylan-tack/improving-security-drupals-securepages-module

]]>