Drupal and Secure Logins using mod_rewrite and manually setting the cookie

nid

201

vid

201

type

blog

status

1

created

1188452062

changed

1188741391

comment

0

promote

1

sticky

0

revision_timestamp

1188741391

title

Drupal and Secure Logins using mod_rewrite and manually setting the cookie

body

I never dug into mod_rewrite before Drupal. Now I do. I hope that I have explained this properly and that it helps others figure things out. So here is the scenario: <ul> <li>logins should occur via SSL</li> <li>everything else should occur via non-ssl</li> <li>the main site is www.example.com</li> <li>the ssl site is ssl.example.com</li> </ul> Normally, I understand that this is an easy process to accomplish if the third level domains match. In my case, this isn't true. I have a pre-existing certificate that I didn't want to burn and I personally prefer that my ssl site NOT use www as the hostname. So this takes modifications in four different areas: <ul> <li>virtual host configuration for non-ssl site</li> <li>virtual host configuration for the ssl site</li> <li>manually setting the cookie in settings.php</li> <li>install the module, securepages</li> </ul> <ol> <li>The following lines will modify port 80 traffic and URLs that are routed to this virtual host. Add these lines to your non-ssl config in the mod_rewrite section: <code> RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC] RewriteRule ^.*$ http://www.example.com%{REQUEST_URI} [L,R=301] RewriteCond %{SERVER_PORT} !^80$ RewriteRule ^.*$ http://www.example.com/%{REQUEST_URI} [L,R=301] </code> </li> <li>The following lines will modify port 443 traffic and URLs that are routed to this virtual host. Add these lines to your ssl config in the mod_rewrite section: <code> RewriteCond %{HTTP_HOST} !^ssl\.example\.com$ [NC] RewriteRule ^.*$ https://ssl.example.com%{REQUEST_URI} [L,R=301] RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^.*$ https://ssl.example.com/%{REQUEST_URI} [L,R] </code> </li> <li> Add this to your setting.php file for this Drupal site: <code>ini_set('session.cookie_domain', ".example.com"); </code> </li> <li>I won't explain how to install the securepages module. I assume you got here by knowing enough about Drupal. :) But, once you do install it, configure it to check the box about *using http whenever possible* checkbox. The reset of default settings that come with the module should work fine.</li> </ol> Enjoy! ( partial credit goes to souvent22 and others in IRC)

teaser

I never dug into mod_rewrite before Drupal. Now I do. I hope that I have explained this properly and that it helps others figure things out. So here is the scenario: <ul> <li>logins should occur via SSL</li> <li>everything else should occur via non-ssl</li> <li>the main site is www.example.com</li> <li>the ssl site is ssl.example.com</li> </ul>

log

format

1

uid

1

name

davea

picture

data

a:6:{s:6:"submit";s:18:"Create new account";s:7:"form_id";s:13:"user_register";s:7:"contact";i:0;s:5:"block";a:1:{s:2:"og";a:1:{i:4;i:1;}}s:8:"og_email";s:1:"2";s:15:"googleanalytics";a:1:{s:6:"custom";i:0;}}

last_comment_timestamp

1188453068

last_comment_name

NULL

comment_count

0

taxonomy

Array
(
    [66] => stdClass Object
        (
            [tid] => 66
            [vid] => 63
            [name] => drupal
            [description] => 
            [weight] => 0
        )

    [69] => stdClass Object
        (
            [tid] => 69
            [vid] => 63
            [name] => mod_rewrite
            [description] => 
            [weight] => 0
        )

    [68] => stdClass Object
        (
            [tid] => 68
            [vid] => 63
            [name] => security
            [description] => 
            [weight] => 0
        )

    [67] => stdClass Object
        (
            [tid] => 67
            [vid] => 63
            [name] => ssl
            [description] => 
            [weight] => 0
        )

)

files

Array
(
)