Secure Login module was in need of a maintainer, so I decided to take it on.
What I like about Secure Login is that it's a small, simple module that makes it easy to enforce secure (SSL) logins on a Drupal site.
I've already committed a Drupal 7 version which could use testing and feedback.
One thing I did in the Drupal 7 port was remove the feature that allows redirecting to the insecure site after login. While this behavior is possible in Drupal 7, it's just not "secure" IMHO. What is the point of protecting the user's password from potential attackers but then immediately revealing the session cookie?
If there is a lot of demand for this "feature," even after the recent spate of publicity for Firesheep, I could implement it, but I'd probably do so in a optional side module, maybe called "Not So Secure Login" ;)
Comments
usefulness compared to securepages and friends
Why not just use/support http://drupal.org/project/securepages and http://drupal.org/project/securepages_prevent_hijack? Those do mixed-mode ssl "right" in my opinion.
knaddison blog | Morris Animal Foundation
I don't use Secure Login for
I don't use Secure Login for mixed-mode SSL, I use it for sites that have anonymous access via HTTP and authenticated access via HTTPS.
Logins are directed to the HTTPS site, and an SSL-only session cookie is set. On Drupal 6, you need to enable the session.cookie_secure PHP config on the HTTPS site. On Drupal 7, Drupal takes care of this for you automatically when you initiate a session via HTTPS.
Secure Login is great
Hi Mark
I just want to say that this is a slick, efficient and important module. Great Job.
Dig