Drupal and Secure Logins using mod_rewrite and manually setting the cookie

nid

201

vid

201

type

blog

status

1

created

1188452062

changed

1188741391

comment

0

promote

1

sticky

0

revision_timestamp

1188741391

title

Drupal and Secure Logins using mod_rewrite and manually setting the cookie

body

<p>I never dug into mod_rewrite before Drupal. Now I do. I hope that I have explained this properly and that it helps others figure things out.</p> <p>So here is the scenario:</p> <ul> <li>logins should occur via SSL</li> <li>everything else should occur via non-ssl</li> <li>the main site is www.example.com</li> <li>the ssl site is ssl.example.com</li> </ul> <p>Normally, I understand that this is an easy process to accomplish if the third level domains match. In my case, this isn't true. I have a pre-existing certificate that I didn't want to burn and I personally prefer that my ssl site NOT use www as the hostname. </p> <p>So this takes modifications in four different areas:</p> <ul> <li>virtual host configuration for non-ssl site</li> <li>virtual host configuration for the ssl site</li> <li>manually setting the cookie in settings.php</li> <li>install the module, securepages</li> </ul> <ol> <li>The following lines will modify port 80 traffic and URLs that are routed to this virtual host. Add these lines to your non-ssl config in the mod_rewrite section:<br /> <code><br /> RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]<br /> RewriteRule ^.*$ http://www.example.com%{REQUEST_URI} [L,R=301]<br /> RewriteCond %{SERVER_PORT} !^80$<br /> RewriteRule ^.*$ http://www.example.com/%{REQUEST_URI} [L,R=301]<br /> </code></p> </li> <li>The following lines will modify port 443 traffic and URLs that are routed to this virtual host. Add these lines to your ssl config in the mod_rewrite section:<br /> <code><br /> RewriteCond %{HTTP_HOST} !^ssl\.example\.com$ [NC]<br /> RewriteRule ^.*$ https://ssl.example.com%{REQUEST_URI} [L,R=301]<br /> RewriteCond %{SERVER_PORT} !^443$<br /> RewriteRule ^.*$ https://ssl.example.com/%{REQUEST_URI} [L,R]<br /> </code> </li> <li> Add this to your setting.php file for this Drupal site:<br /> <code>ini_set('session.cookie_domain', ".example.com");<br /> </code> </li> <li>I won't explain how to install the securepages module. I assume you got here by knowing enough about Drupal. :) But, once you do install it, configure it to check the box about *using http whenever possible* checkbox. The reset of default settings that come with the module should work fine.</li> </ol> <p>Enjoy!</p> <p>( partial credit goes to souvent22 and others in IRC)</p>

teaser

I never dug into mod_rewrite before Drupal. Now I do. I hope that I have explained this properly and that it helps others figure things out. So here is the scenario: <ul> <li>logins should occur via SSL</li> <li>everything else should occur via non-ssl</li> <li>the main site is www.example.com</li> <li>the ssl site is ssl.example.com</li> </ul>

log

format

1

uid

1

name

davea

picture

data

a:6:{s:6:"submit";s:18:"Create new account";s:7:"form_id";s:13:"user_register";s:7:"contact";i:0;s:5:"block";a:1:{s:2:"og";a:1:{i:4;i:1;}}s:8:"og_email";s:1:"2";s:15:"googleanalytics";a:1:{s:6:"custom";i:0;}}

last_comment_timestamp

1188453068

last_comment_name

NULL

comment_count

0

taxonomy

Array
(
    [66] => stdClass Object
        (
            [tid] => 66
            [vid] => 63
            [name] => drupal
            [description] => 
            [weight] => 0
        )

    [69] => stdClass Object
        (
            [tid] => 69
            [vid] => 63
            [name] => mod_rewrite
            [description] => 
            [weight] => 0
        )

    [68] => stdClass Object
        (
            [tid] => 68
            [vid] => 63
            [name] => security
            [description] => 
            [weight] => 0
        )

    [67] => stdClass Object
        (
            [tid] => 67
            [vid] => 63
            [name] => ssl
            [description] => 
            [weight] => 0
        )

)

files

Array
(
)

readmore

1

content

Array
(
    [body] => Array
        (
            [#value] => <p>I never dug into mod_rewrite before Drupal. Now I do. I hope that I have explained this properly and that it helps others figure things out.</p>
<p>So here is the scenario:</p>
<ul>
<li>logins should occur via SSL</li>
<li>everything else should occur via non-ssl</li>
<li>the main site is www.example.com</li>
<li>the ssl site is ssl.example.com</li>
</ul>
<p>Normally, I understand that this is an easy process to accomplish if the third level domains match. In my case, this isn't true. I have a pre-existing certificate that I didn't want to burn and I personally prefer that my ssl site NOT use www as the hostname. </p>
<p>So this takes modifications in four different areas:</p>
<ul>
<li>virtual host configuration for non-ssl site</li>
<li>virtual host configuration for the ssl site</li>
<li>manually setting the cookie in settings.php</li>
<li>install the module, securepages</li>
</ul>
<ol>
<li>The following lines will modify port 80 traffic and URLs that are routed to this virtual host. Add these lines to your non-ssl config in the mod_rewrite section:<br />
<code><br />
  RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]<br />
  RewriteRule ^.*$ http://www.example.com%{REQUEST_URI} [L,R=301]<br />
  RewriteCond  %{SERVER_PORT}  !^80$<br />
  RewriteRule ^.*$ http://www.example.com/%{REQUEST_URI} [L,R=301]<br />
</code></p>
</li>
<li>The following lines will modify port 443 traffic and URLs that are routed to this virtual host. Add these lines to your ssl config in the mod_rewrite section:<br />
<code><br />
  RewriteCond %{HTTP_HOST} !^ssl\.example\.com$ [NC]<br />
  RewriteRule ^.*$ https://ssl.example.com%{REQUEST_URI} [L,R=301]<br />
  RewriteCond  %{SERVER_PORT}  !^443$<br />
  RewriteRule ^.*$ https://ssl.example.com/%{REQUEST_URI} [L,R]<br />
</code>
</li>
<li>
Add this to your setting.php file for this Drupal site:<br />
<code>ini_set('session.cookie_domain', ".example.com");<br />
</code>
</li>
<li>I won't explain how to install the securepages module. I assume you got here by knowing enough about Drupal. :) But, once you do install it, configure it to check the box about *using http whenever possible* checkbox. The reset of default settings that come with the module should work fine.</li>
</ol>
<p>Enjoy!</p>
<p>( partial credit goes to souvent22 and others in IRC)</p>

            [#weight] => 0
        )

)