README.txt in Secure Login 7
SECURE LOGIN MODULE
-------------------
Secure Login module enables secure logins by submitting the login form
to a secure host address. The module can also do the same for the user
edit, user registration, and other forms, so that passwords and other
data are never sent in cleartext.
A secure login to Drupal 7 by default generates an HTTPS-only secure
session[1], which also prevents session cookies from being sent in
cleartext. Note, however, that if you have enabled Drupal's hidden
$conf['https'] setting, sessions are shared across HTTP and HTTPS, which
makes user sessions vulnerable to session hijacking attacks[2]. Secure
Login module is therefore designed for sites that have left
$conf['https'] at its default value, FALSE.
INSTALLATION
------------
0. Before enabling the module, you need to set up your server to support
SSL. You can use Certbot[3] to obtain a free SSL certificate. The
result should be that if your Drupal site lives at
http://host.example.org/dir/, it should also be accessible at
https://host.example.org/dir/ (if necessary, you can use the secure
base URL setting to specify a different secure base URL e.g.
https://otherhost.example.org/otherdir/). If you use a different URL
for the secure site, you must make sure that cookies coming from
host.example.org can be sent to otherhost.example.org. You can
change the cookie domain in settings.php.
1. Ensure the HTTPS version of your site works. Note: In certain server
environments, you may need to set PHP's $_SERVER['HTTPS'] variable to
"on" when the site is accessed via HTTPS (either in your webserver
configuration or in your settings.php file).
2. If you have set the $base_url variable in your settings.php file,
ensure that the URL scheme matches the scheme used to access the
site. For example:
$base_url = (drupal_is_https() ? 'https' : 'http') . '://www.example.org';
3. Untar the module into your Drupal modules directory.
4. Read the README.txt before enabling the module and before upgrading!
5. Enable the module at admin/modules.
6. Configure the module at admin/config/people/securelogin.
UNINSTALLATION
--------------
If you did not follow step 1 above, or you copied your Drupal site to a
local instance which does not have HTTPS enabled, you may not be able to
login to your Drupal site to disable Secure Login module normally.
Instead you will need to:
1. Run "drush dis securelogin" or delete the securelogin directory
from your modules directory.
2. Run "drush cc all" or truncate (delete all entries in) the
cache_page database table.
3. Clear your browser cache.
CONFIGURATION
-------------
At admin/config/people/securelogin you can set which forms (login, login
block, user edit, user registration, node, comment, contact, webform,
etc.) are secured by this module. By securing all forms in the
"required" group on the settings page, you can ensure that logins are in
fact "secure": all authenticated sessions will use SSL-only secure
session cookies which are immune to session hijacking by eavesdroppers.
UPGRADING FROM DRUPAL 6
-----------------------
Your Secure Login settings should be correctly migrated from Drupal 6 to
Drupal 7. Note, however, that the Drupal 7 version of Secure Login does
not currently support redirecting a secure authenticated session back to
the HTTP site. Doing so would require creating an insecure session,
which would be vulnerable to session hijacking and is thus not a secure
configuration.
DEVELOPER API
-------------
This module provides two API functions for developers:
- securelogin_secure_form($form) may be added to a hook_form_alter
implementation to cause a form to submit to the secure URL.
- securelogin_secure_redirect() may be called to redirect the current
request to the equivalent path on the secure base URL.
In addition, developers may use $form['#https'] = TRUE to indicate that
a form should be secured by Secure Login module, and $options['https'] =
TRUE to indicate that an HTTPS URL should be generated by the url()
function, as well as other functions that use url() internally such as
drupal_goto().
[1] https://php.net/manual/session.configuration.php#ini.session.cookie-secure
[2] https://en.wikipedia.org/wiki/Session_hijacking
[3] https://certbot.eff.org/
File
README.txt
View source
- SECURE LOGIN MODULE
- -------------------
-
- Secure Login module enables secure logins by submitting the login form
- to a secure host address. The module can also do the same for the user
- edit, user registration, and other forms, so that passwords and other
- data are never sent in cleartext.
-
- A secure login to Drupal 7 by default generates an HTTPS-only secure
- session[1], which also prevents session cookies from being sent in
- cleartext. Note, however, that if you have enabled Drupal's hidden
- $conf['https'] setting, sessions are shared across HTTP and HTTPS, which
- makes user sessions vulnerable to session hijacking attacks[2]. Secure
- Login module is therefore designed for sites that have left
- $conf['https'] at its default value, FALSE.
-
- INSTALLATION
- ------------
-
- 0. Before enabling the module, you need to set up your server to support
- SSL. You can use Certbot[3] to obtain a free SSL certificate. The
- result should be that if your Drupal site lives at
- http://host.example.org/dir/, it should also be accessible at
- https://host.example.org/dir/ (if necessary, you can use the secure
- base URL setting to specify a different secure base URL e.g.
- https://otherhost.example.org/otherdir/). If you use a different URL
- for the secure site, you must make sure that cookies coming from
- host.example.org can be sent to otherhost.example.org. You can
- change the cookie domain in settings.php.
- 1. Ensure the HTTPS version of your site works. Note: In certain server
- environments, you may need to set PHP's $_SERVER['HTTPS'] variable to
- "on" when the site is accessed via HTTPS (either in your webserver
- configuration or in your settings.php file).
- 2. If you have set the $base_url variable in your settings.php file,
- ensure that the URL scheme matches the scheme used to access the
- site. For example:
- $base_url = (drupal_is_https() ? 'https' : 'http') . '://www.example.org';
- 3. Untar the module into your Drupal modules directory.
- 4. Read the README.txt before enabling the module and before upgrading!
- 5. Enable the module at admin/modules.
- 6. Configure the module at admin/config/people/securelogin.
-
- UNINSTALLATION
- --------------
-
- If you did not follow step 1 above, or you copied your Drupal site to a
- local instance which does not have HTTPS enabled, you may not be able to
- login to your Drupal site to disable Secure Login module normally.
- Instead you will need to:
-
- 1. Run "drush dis securelogin" or delete the securelogin directory
- from your modules directory.
- 2. Run "drush cc all" or truncate (delete all entries in) the
- cache_page database table.
- 3. Clear your browser cache.
-
- CONFIGURATION
- -------------
-
- At admin/config/people/securelogin you can set which forms (login, login
- block, user edit, user registration, node, comment, contact, webform,
- etc.) are secured by this module. By securing all forms in the
- "required" group on the settings page, you can ensure that logins are in
- fact "secure": all authenticated sessions will use SSL-only secure
- session cookies which are immune to session hijacking by eavesdroppers.
-
- UPGRADING FROM DRUPAL 6
- -----------------------
-
- Your Secure Login settings should be correctly migrated from Drupal 6 to
- Drupal 7. Note, however, that the Drupal 7 version of Secure Login does
- not currently support redirecting a secure authenticated session back to
- the HTTP site. Doing so would require creating an insecure session,
- which would be vulnerable to session hijacking and is thus not a secure
- configuration.
-
- DEVELOPER API
- -------------
-
- This module provides two API functions for developers:
- - securelogin_secure_form($form) may be added to a hook_form_alter
- implementation to cause a form to submit to the secure URL.
- - securelogin_secure_redirect() may be called to redirect the current
- request to the equivalent path on the secure base URL.
-
- In addition, developers may use $form['#https'] = TRUE to indicate that
- a form should be secured by Secure Login module, and $options['https'] =
- TRUE to indicate that an HTTPS URL should be generated by the url()
- function, as well as other functions that use url() internally such as
- drupal_goto().
-
- [1] https://php.net/manual/session.configuration.php#ini.session.cookie-secure
- [2] https://en.wikipedia.org/wiki/Session_hijacking
- [3] https://certbot.eff.org/