You are here

Home » API reference » Secure Login 7

README.txt in Secure Login 7

Same filename and directory in other branches
  1. 8 README.txt
  2. 5 README.txt
  3. 6 README.txt
SECURE LOGIN MODULE
-------------------

Secure Login module enables secure logins by submitting the login form
to a secure host address.  The module can also do the same for the user
edit, user registration, and other forms, so that passwords and other
data are never sent in cleartext.

A secure login to Drupal 7 by default generates an HTTPS-only secure
session[1], which also prevents session cookies from being sent in
cleartext.  Note, however, that if you have enabled Drupal's hidden
$conf['https'] setting, sessions are shared across HTTP and HTTPS, which
makes user sessions vulnerable to session hijacking attacks[2].  Secure
Login module is therefore designed for sites that have left
$conf['https'] at its default value, FALSE.

INSTALLATION
------------

0. Before enabling the module, you need to set up your server to support
   SSL.  You can use Certbot[3] to obtain a free SSL certificate.  The
   result should be that if your Drupal site lives at
   http://host.example.org/dir/, it should also be accessible at
   https://host.example.org/dir/ (if necessary, you can use the secure
   base URL setting to specify a different secure base URL e.g.
   https://otherhost.example.org/otherdir/).  If you use a different URL
   for the secure site, you must make sure that cookies coming from
   host.example.org can be sent to otherhost.example.org.  You can
   change the cookie domain in settings.php.
1. Ensure the HTTPS version of your site works. Note: In certain server
   environments, you may need to set PHP's $_SERVER['HTTPS'] variable to
   "on" when the site is accessed via HTTPS (either in your webserver
   configuration or in your settings.php file).
2. If you have set the $base_url variable in your settings.php file,
   ensure that the URL scheme matches the scheme used to access the
   site.  For example:
   $base_url = (drupal_is_https() ? 'https' : 'http') . '://www.example.org';
3. Untar the module into your Drupal modules directory.
4. Read the README.txt before enabling the module and before upgrading!
5. Enable the module at admin/modules.
6. Configure the module at admin/config/people/securelogin.

UNINSTALLATION
--------------

If you did not follow step 1 above, or you copied your Drupal site to a
local instance which does not have HTTPS enabled, you may not be able to
login to your Drupal site to disable Secure Login module normally.
Instead you will need to:

1. Run "drush dis securelogin" or delete the securelogin directory
   from your modules directory.
2. Run "drush cc all" or truncate (delete all entries in) the
   cache_page database table.
3. Clear your browser cache.

CONFIGURATION
-------------

At admin/config/people/securelogin you can set which forms (login, login
block, user edit, user registration, node, comment, contact, webform,
etc.) are secured by this module.  By securing all forms in the
"required" group on the settings page, you can ensure that logins are in
fact "secure": all authenticated sessions will use SSL-only secure
session cookies which are immune to session hijacking by eavesdroppers.

UPGRADING FROM DRUPAL 6
-----------------------

Your Secure Login settings should be correctly migrated from Drupal 6 to
Drupal 7.  Note, however, that the Drupal 7 version of Secure Login does
not currently support redirecting a secure authenticated session back to
the HTTP site.  Doing so would require creating an insecure session,
which would be vulnerable to session hijacking and is thus not a secure
configuration.

DEVELOPER API
-------------

This module provides two API functions for developers:
- securelogin_secure_form($form) may be added to a hook_form_alter
  implementation to cause a form to submit to the secure URL.
- securelogin_secure_redirect() may be called to redirect the current
  request to the equivalent path on the secure base URL.

In addition, developers may use $form['#https'] = TRUE to indicate that
a form should be secured by Secure Login module, and $options['https'] =
TRUE to indicate that an HTTPS URL should be generated by the url()
function, as well as other functions that use url() internally such as
drupal_goto().

[1] https://php.net/manual/session.configuration.php#ini.session.cookie-secure
[2] https://en.wikipedia.org/wiki/Session_hijacking
[3] https://certbot.eff.org/

File

README.txt
View source 
  1. SECURE LOGIN MODULE

  2. -------------------

  3. 

  4. Secure Login module enables secure logins by submitting the login form

  5. to a secure host address.  The module can also do the same for the user

  6. edit, user registration, and other forms, so that passwords and other

  7. data are never sent in cleartext.

  8. 

  9. A secure login to Drupal 7 by default generates an HTTPS-only secure

  10. session[1], which also prevents session cookies from being sent in

  11. cleartext.  Note, however, that if you have enabled Drupal's hidden

  12. $conf['https'] setting, sessions are shared across HTTP and HTTPS, which

  13. makes user sessions vulnerable to session hijacking attacks[2].  Secure

  14. Login module is therefore designed for sites that have left

  15. $conf['https'] at its default value, FALSE.

  16. 

  17. INSTALLATION

  18. ------------

  19. 

  20. 0. Before enabling the module, you need to set up your server to support

  21.    SSL.  You can use Certbot[3] to obtain a free SSL certificate.  The

  22.    result should be that if your Drupal site lives at

  23.    http://host.example.org/dir/, it should also be accessible at

  24.    https://host.example.org/dir/ (if necessary, you can use the secure

  25.    base URL setting to specify a different secure base URL e.g.

  26.    https://otherhost.example.org/otherdir/).  If you use a different URL

  27.    for the secure site, you must make sure that cookies coming from

  28.    host.example.org can be sent to otherhost.example.org.  You can

  29.    change the cookie domain in settings.php.

  30. 1. Ensure the HTTPS version of your site works. Note: In certain server

  31.    environments, you may need to set PHP's $_SERVER['HTTPS'] variable to

  32.    "on" when the site is accessed via HTTPS (either in your webserver

  33.    configuration or in your settings.php file).

  34. 2. If you have set the $base_url variable in your settings.php file,

  35.    ensure that the URL scheme matches the scheme used to access the

  36.    site.  For example:

  37.    $base_url = (drupal_is_https() ? 'https' : 'http') . '://www.example.org';

  38. 3. Untar the module into your Drupal modules directory.

  39. 4. Read the README.txt before enabling the module and before upgrading!

  40. 5. Enable the module at admin/modules.

  41. 6. Configure the module at admin/config/people/securelogin.

  42. 

  43. UNINSTALLATION

  44. --------------

  45. 

  46. If you did not follow step 1 above, or you copied your Drupal site to a

  47. local instance which does not have HTTPS enabled, you may not be able to

  48. login to your Drupal site to disable Secure Login module normally.

  49. Instead you will need to:

  50. 

  51. 1. Run "drush dis securelogin" or delete the securelogin directory

  52.    from your modules directory.

  53. 2. Run "drush cc all" or truncate (delete all entries in) the

  54.    cache_page database table.

  55. 3. Clear your browser cache.

  56. 

  57. CONFIGURATION

  58. -------------

  59. 

  60. At admin/config/people/securelogin you can set which forms (login, login

  61. block, user edit, user registration, node, comment, contact, webform,

  62. etc.) are secured by this module.  By securing all forms in the

  63. "required" group on the settings page, you can ensure that logins are in

  64. fact "secure": all authenticated sessions will use SSL-only secure

  65. session cookies which are immune to session hijacking by eavesdroppers.

  66. 

  67. UPGRADING FROM DRUPAL 6

  68. -----------------------

  69. 

  70. Your Secure Login settings should be correctly migrated from Drupal 6 to

  71. Drupal 7.  Note, however, that the Drupal 7 version of Secure Login does

  72. not currently support redirecting a secure authenticated session back to

  73. the HTTP site.  Doing so would require creating an insecure session,

  74. which would be vulnerable to session hijacking and is thus not a secure

  75. configuration.

  76. 

  77. DEVELOPER API

  78. -------------

  79. 

  80. This module provides two API functions for developers:

  81. - securelogin_secure_form($form) may be added to a hook_form_alter

  82.   implementation to cause a form to submit to the secure URL.

  83. - securelogin_secure_redirect() may be called to redirect the current

  84.   request to the equivalent path on the secure base URL.

  85. 

  86. In addition, developers may use $form['#https'] = TRUE to indicate that

  87. a form should be secured by Secure Login module, and $options['https'] =

  88. TRUE to indicate that an HTTPS URL should be generated by the url()

  89. function, as well as other functions that use url() internally such as

  90. drupal_goto().

  91. 

  92. [1] https://php.net/manual/session.configuration.php#ini.session.cookie-secure

  93. [2] https://en.wikipedia.org/wiki/Session_hijacking

  94. [3] https://certbot.eff.org/