Comments on: Make Drupal More Secure With SSL Logins http://success.grownupgeek.com/index.php/2009/07/12/drupal-ssl/ Do it right the first time, stoopit! Thu, 09 Feb 2012 22:58:06 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Pat http://success.grownupgeek.com/index.php/2009/07/12/drupal-ssl/#comment-3448 Pat Wed, 21 Sep 2011 00:46:18 +0000 http://success.grownupgeek.com/?p=647#comment-3448 I started out by making my site 100% ssl. To make sure I redirect all http traffic to https in by Apache config. However most new caching schemes that take over your DNS hosting and Google's Apache mod_pagespeed do not work with https objects. Drupal is fairly good about performance but AFAIK it does not compress JPGs (yes you can save a fair bit of speed doing this using pagespeed) and other images. Also if you have lengthy queries through no fault of your own, the caching of pagespeed brings noticeable goodness. I know there are other ways to cache DBs but how simple is pagespeed? Anyway, I have a test site running with all pages and objects available with http and https and am now going back following your posts to resecure the important bits (I use ubercart too so really need these secured). Your two posts cover most of what I need to do but I'm worried about the secure session stuff. I have seen nothing posted about this but maybe my Google-fu is failing me. The admin session is the scary one. If I go to the https version of the site I should be OK (because I'll never forget the https://, right ;-) but I have privileged users too that are like mini-admins. If someone steals their session they can only mess up that user's content still it smells like a security vulnerability. Anything new on secure sessions? I started out by making my site 100% ssl. To make sure I redirect all http traffic to https in by Apache config.

However most new caching schemes that take over your DNS hosting and Google’s Apache mod_pagespeed do not work with https objects. Drupal is fairly good about performance but AFAIK it does not compress JPGs (yes you can save a fair bit of speed doing this using pagespeed) and other images. Also if you have lengthy queries through no fault of your own, the caching of pagespeed brings noticeable goodness. I know there are other ways to cache DBs but how simple is pagespeed?

Anyway, I have a test site running with all pages and objects available with http and https and am now going back following your posts to resecure the important bits (I use ubercart too so really need these secured).
Your two posts cover most of what I need to do but I’m worried about the secure session stuff. I have seen nothing posted about this but maybe my Google-fu is failing me.

The admin session is the scary one. If I go to the https version of the site I should be OK (because I’ll never forget the https://, right ;-) but I have privileged users too that are like mini-admins. If someone steals their session they can only mess up that user’s content still it smells like a security vulnerability.

Anything new on secure sessions?

]]> By: Ben Malen http://success.grownupgeek.com/index.php/2009/07/12/drupal-ssl/#comment-3240 Ben Malen Sun, 31 Jul 2011 01:04:35 +0000 http://success.grownupgeek.com/?p=647#comment-3240 I too thought this would be a walk in the park. This really needs to be posted on the Secure Pages/Secure Login project pages. Thanks for taking the time to write it up! I too thought this would be a walk in the park. This really needs to be posted on the Secure Pages/Secure Login project pages. Thanks for taking the time to write it up!

]]> By: Rand B. Wilson http://success.grownupgeek.com/index.php/2009/07/12/drupal-ssl/#comment-3163 Rand B. Wilson Thu, 19 May 2011 22:32:10 +0000 http://success.grownupgeek.com/?p=647#comment-3163 Alice; i think that the Secure Pages module will handle all the switching for you once you get it configured. Alice;
i think that the Secure Pages module will handle all the switching for you once you get it configured.

]]> By: Alice http://success.grownupgeek.com/index.php/2009/07/12/drupal-ssl/#comment-3162 Alice Thu, 19 May 2011 11:10:02 +0000 http://success.grownupgeek.com/?p=647#comment-3162 Hi Hey Randy, Very nice tutorial. I have a question before I go ahead and install SecurePages module, do I need to make changes to htaccess file which is available by default in root? I have installed ssl certificate and can access my site both with http and https. All I want is to redirect http://mysite.com AND http://www.mysite.com to https://www.mysite.com. Do I need to make changes in htaccess file? And what will SecurePages module will do for me? Please help, Thanks Hi Hey Randy,

Very nice tutorial. I have a question before I go ahead and install SecurePages module, do I need to make changes to htaccess file which is available by default in root?

I have installed ssl certificate and can access my site both with http and https. All I want is to redirect http://mysite.com AND http://www.mysite.com to https://www.mysite.com. Do I need to make changes in htaccess file? And what will SecurePages module will do for me?

Please help,
Thanks

]]>