Secure Login module not dead yet

mfb's picture

Secure Login module was in need of a maintainer, so I decided to take it on.

What I like about Secure Login is that it's a small, simple module that makes it easy to enforce secure (SSL) logins on a Drupal site.

I've already committed a Drupal 7 version which could use testing and feedback.

One thing I did in the Drupal 7 port was remove the feature that allows redirecting to the insecure site after login. While this behavior is possible in Drupal 7, it's just not "secure" IMHO. What is the point of protecting the user's password from potential attackers but then immediately revealing the session cookie?

If there is a lot of demand for this "feature," even after the recent spate of publicity for Firesheep, I could implement it, but I'd probably do so in a optional side module, maybe called "Not So Secure Login" ;)

Comments

usefulness compared to securepages and friends

greggles's picture

Why not just use/support http://drupal.org/project/securepages and http://drupal.org/project/securepages_prevent_hijack? Those do mixed-mode ssl "right" in my opinion.

I don't use Secure Login for

mfb's picture

I don't use Secure Login for mixed-mode SSL, I use it for sites that have anonymous access via HTTP and authenticated access via HTTPS.

Logins are directed to the HTTPS site, and an SSL-only session cookie is set. On Drupal 6, you need to enable the session.cookie_secure PHP config on the HTTPS site. On Drupal 7, Drupal takes care of this for you automatically when you initiate a session via HTTPS.

Secure Login is great

Dig1's picture

Hi Mark

I just want to say that this is a slick, efficient and important module. Great Job.

Dig

Indymedia

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week