You are here

Home » API reference » Secure Login 8

README.txt in Secure Login 8

Same filename and directory in other branches
  1. 5 README.txt
  2. 6 README.txt
  3. 7 README.txt
SECURE LOGIN MODULE
===================

INTRODUCTION
------------

For sites that are available via both HTTP and HTTPS, Secure Login
module ensures that the user login and other forms are submitted
securely via HTTPS, thus preventing passwords and other private user
data from being transmitted in the clear. Secure Login module locks down
not just the user/login page but also any page containing the user login
block, and any other forms that you configure to be secured.

In both Drupal 7 and Drupal 8, logging in via HTTPS automatically
generates an HTTPS-only secure session[1], which prevents session
cookies from being sent in cleartext[2].

REQUIREMENTS
------------

Before enabling the module, you need to set up your server to support
HTTPS and ensure that it works correctly.  You can use Certbot[3] to
obtain a free TLS certificate.  The result should be that if your Drupal
site lives at http://www.example.org/dir, it should also be accessible
at https://www.example.org/dir (the secure base URL, which is normally
determined automatically, but can be configured if you need to limit it
to one base URL).

INSTALLATION
------------

0. See the requirements section above.
1. Ensure the HTTPS version of your site works.
2. Untar the module into your Drupal modules directory.
3. Read the README.txt before enabling the module and before upgrading!
4. Enable the module at admin/modules.
5. Configure the module at admin/config/people/securelogin.

UNINSTALLATION
--------------

If you did not follow step 1 above, or you copied your Drupal site to a
local instance which does not have HTTPS enabled, you may not be able to
login to your Drupal site to disable Secure Login module normally.
Instead you will need to use Drush.

1. Uninstall Secure Login module: drush pmu securelogin
2. Rebuild cache: drush cr all
3. Clear your browser cache.

CONFIGURATION
-------------

At admin/config/people/securelogin you can set which forms (login,
registration, node, comment, contact, webform, etc.) are secured by this
module.  By securing all forms that indicate they "must be checked to
enforce secure authenticated sessions," you can ensure that logins are
in fact "secure": all authenticated sessions will use HTTPS-only secure
session cookies which are immune to session hijacking by eavesdroppers.

RECOMMENDATION: HTTP STRICT TRANSPORT SECURITY
----------------------------------------------

In addition to installing Secure Login module, it is recommended to
install HSTS module[4] or to set the Strict-Transport-Security header[5]
in your webserver configuration.  To instruct browsers to connect to
your site only via HTTPS, add your domain to the HSTS preload list[6].

UPGRADING FROM DRUPAL 7
-----------------------

Your Secure Login settings should be correctly migrated from Drupal 7 to
Drupal 8... but this is not yet working.

DEVELOPER API
-------------

As with the Drupal 7 version of Secure Login module, developers may use
$form['#https'] = TRUE to indicate that a form should be secured by
Secure Login module, and $options['https'] = TRUE to indicate that an
HTTPS URL should be generated.

Additionally, this module provides two API functions for developers:

\Drupal::service('securelogin.manager')->secureForm($form) may be called
on a form to either redirect the current request to the secure base URL
or to submit the form to the secure base URL, depending on Secure Login
configuration.

\Drupal::service('securelogin.manager')->secureRedirect() may be called
to redirect the current request to the equivalent path on the secure
base URL.

MAINTAINERS
-----------

Secure Login module is currently maintained by mfb[7].

[1] https://php.net/manual/session.configuration.php#ini.session.cookie-secure
[2] https://en.wikipedia.org/wiki/Session_hijacking
[3] https://certbot.eff.org/
[4] https://www.drupal.org/project/hsts
[5] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[6] https://hstspreload.appspot.com/
[7] https://www.drupal.org/u/mfb

File

README.txt
View source 
  1. SECURE LOGIN MODULE

  2. ===================

  3. 

  4. INTRODUCTION

  5. ------------

  6. 

  7. For sites that are available via both HTTP and HTTPS, Secure Login

  8. module ensures that the user login and other forms are submitted

  9. securely via HTTPS, thus preventing passwords and other private user

  10. data from being transmitted in the clear. Secure Login module locks down

  11. not just the user/login page but also any page containing the user login

  12. block, and any other forms that you configure to be secured.

  13. 

  14. In both Drupal 7 and Drupal 8, logging in via HTTPS automatically

  15. generates an HTTPS-only secure session[1], which prevents session

  16. cookies from being sent in cleartext[2].

  17. 

  18. REQUIREMENTS

  19. ------------

  20. 

  21. Before enabling the module, you need to set up your server to support

  22. HTTPS and ensure that it works correctly.  You can use Certbot[3] to

  23. obtain a free TLS certificate.  The result should be that if your Drupal

  24. site lives at http://www.example.org/dir, it should also be accessible

  25. at https://www.example.org/dir (the secure base URL, which is normally

  26. determined automatically, but can be configured if you need to limit it

  27. to one base URL).

  28. 

  29. INSTALLATION

  30. ------------

  31. 

  32. 0. See the requirements section above.

  33. 1. Ensure the HTTPS version of your site works.

  34. 2. Untar the module into your Drupal modules directory.

  35. 3. Read the README.txt before enabling the module and before upgrading!

  36. 4. Enable the module at admin/modules.

  37. 5. Configure the module at admin/config/people/securelogin.

  38. 

  39. UNINSTALLATION

  40. --------------

  41. 

  42. If you did not follow step 1 above, or you copied your Drupal site to a

  43. local instance which does not have HTTPS enabled, you may not be able to

  44. login to your Drupal site to disable Secure Login module normally.

  45. Instead you will need to use Drush.

  46. 

  47. 1. Uninstall Secure Login module: drush pmu securelogin

  48. 2. Rebuild cache: drush cr all

  49. 3. Clear your browser cache.

  50. 

  51. CONFIGURATION

  52. -------------

  53. 

  54. At admin/config/people/securelogin you can set which forms (login,

  55. registration, node, comment, contact, webform, etc.) are secured by this

  56. module.  By securing all forms that indicate they "must be checked to

  57. enforce secure authenticated sessions," you can ensure that logins are

  58. in fact "secure": all authenticated sessions will use HTTPS-only secure

  59. session cookies which are immune to session hijacking by eavesdroppers.

  60. 

  61. RECOMMENDATION: HTTP STRICT TRANSPORT SECURITY

  62. ----------------------------------------------

  63. 

  64. In addition to installing Secure Login module, it is recommended to

  65. install HSTS module[4] or to set the Strict-Transport-Security header[5]

  66. in your webserver configuration.  To instruct browsers to connect to

  67. your site only via HTTPS, add your domain to the HSTS preload list[6].

  68. 

  69. UPGRADING FROM DRUPAL 7

  70. -----------------------

  71. 

  72. Your Secure Login settings should be correctly migrated from Drupal 7 to

  73. Drupal 8... but this is not yet working.

  74. 

  75. DEVELOPER API

  76. -------------

  77. 

  78. As with the Drupal 7 version of Secure Login module, developers may use

  79. $form['#https'] = TRUE to indicate that a form should be secured by

  80. Secure Login module, and $options['https'] = TRUE to indicate that an

  81. HTTPS URL should be generated.

  82. 

  83. Additionally, this module provides two API functions for developers:

  84. 

  85. \Drupal::service('securelogin.manager')->secureForm($form) may be called

  86. on a form to either redirect the current request to the secure base URL

  87. or to submit the form to the secure base URL, depending on Secure Login

  88. configuration.

  89. 

  90. \Drupal::service('securelogin.manager')->secureRedirect() may be called

  91. to redirect the current request to the equivalent path on the secure

  92. base URL.

  93. 

  94. MAINTAINERS

  95. -----------

  96. 

  97. Secure Login module is currently maintained by mfb[7].

  98. 

  99. [1] https://php.net/manual/session.configuration.php#ini.session.cookie-secure

  100. [2] https://en.wikipedia.org/wiki/Session_hijacking

  101. [3] https://certbot.eff.org/

  102. [4] https://www.drupal.org/project/hsts

  103. [5] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  104. [6] https://hstspreload.appspot.com/

  105. [7] https://www.drupal.org/u/mfb