Now that I managed to get SSL set up using a wildcard certificate (*.kkaefer.com) signed by CACert, securing the login to a Drupal site is amazingly easy:
# Force the user to use https.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule /(user|admin) https://%{HTTP_HOST}%{REQUEST_URI} [R]
# Enfore SSL for user login and administration.
<LocationMatch "/(user|admin)">
SSLRequireSSL
</LocationMatch>
That’s pretty much all you need. It works transparently for the user: When the user tries to access a URL beginning with admin or user, a redirect to the exact same request, but with http replaced by https is performed. Additionally, SSL is set to be required for those locations (I added that to prevent logins without SSL in case mod_rewrite fails, becomes unavailable etc.). You can easily add new paths that require SSL by just adding them to both regular expressions.
Sometimes users can login using a URL that doesn’t begin with user. Therefore you should also install securelogin.module which rewrites the actions of forms to use https.
Comments
Thank you for the tip. It saved more than an hour for me.
Where should I keep this rewrite code? I already have default .htaccess file and cleanURLs is enabled.
in .htaccess file I could not find the proper place to put this code. Can you suggest me?
Rajesh Akkineni
This can be either added to the beginning of the .htaccess file or the virtual server configuration in Apache’s configuration file.
Thanks for the info… We are getting ready to start developing in Drupal but we have been researching the differences between Drupal an WordPress… Can anyone provide any feedback between the pros and cons of each? Thanks!
Post new comment