Home

Secure pages module

Submitted by jwr on Mon, 12 Oct 2009 - 15:51

drupal secure pages module
http://drupal.org/project/securepages on 6.x-1.8 on 6.14 2009-10-03
updated 2011-12-28 for then 6.x-1.9 on 6.22

Main function:
Make certain pages secure, specifying them as https.

Example function:
When you want to make the entry and view of personal information or purchase information secure.

Manage:
Enable/disable again in its own admin section.
Option: Switch back to http pages when there are no matches.
Enter the: Non-secure Base URL
Enter the: Secure Base URL
Specify which pages will be secure: All except listed/only listed
Specify ignored pages

Experience:
This was working for a while without problems, and with one of these updates, Ubercart checkout is not working anymore. Serious problems in securing the admin section if contributed module Administration menu is installed and for securing Übercart checkout.

Default settings:
This puts the entire admin section into SSL /https.

Pages:

node/add*
node/*/edit
user
user/*
admin
admin/*

Ignore pages:

*/autocomplete/*
*/ajax/*

On which pages to use?
Of course it depends on the site:

  • User pages should be encrypted: User login, registration and lost password pages, where the user enters username and login password.
  • Admin section: maybe not really needed for a normal site. There's nothing really there that is sensitive data, as far as I'm concerned.
  • Node changes: maybe also not needed for a normal site that does not contain sensitive data. If the data is sensitive, then yes, including the admin section.
  • Shopping cart should be fully encrypted: cart, checkout, confirmation, payment, payment gateway connection, order forms, customers and order summaries. The product catalogue is not encrypted.

Changes/additions to the default settings:
There are issues for pages using java script and ajax. See: http://drupal.org/node/863562, http://drupal.org/node/49875.

Administration menu in SSL:
With admin in SSL, the administration menu http://drupal.org/project/admin_menu will not work in SSL. Administration menu has no documentation for SSL. There is no documentation section at the secure pages module. Not helpful. According to http://drupal.org/node/498754 add to ignore pages:

js/*

Has no effect. Flush all caches and browser cache. If no effect, check settings.php. If you entered a value for $base_url, then disable it. Be sure to flush caches again. Tried changing cache, compression or optimisation settings. Works, but only on the same page, any other pages, administration menu disappears, also when going back to original page. Tried workaround http://drupal.org/node/863562, flush caches again. Clear browser cache (log in again). Still not working. Giving up on putting using SSL for admin section in order to keep the admin menu. Expletives deleted.

Übercart cart and checkout in SSL:
Add to SSL pages:

cart*
cart/*

Add to ignore pages:

*/admin_ajax/*
uc_paypal/*
cgi-bin/webscr

When it is set for SSL, Übercart checkout still gets stuck. It cannot find country provinces/states, cannot calculate calculate shipping cost and order total, cannot access the payment module. Partially solved with the js/* in ignore pages. But still cannot do it.

Other things to check:

  • .htaccess
  • settings.php

      • NOT YET SOLVED.

      Tried the Übercart SSL module http://drupal.org/project/uc_ssl. Guess what, that either puts the entire site into SSL (always) or nothing. Useless.

      G*ogle Problem:
      G is indexing https pages. I don't believe the entire site was ever in SSL'd, except possibly during setup trial for a few minutes or so. And I initially thought it would not do that. But it has indexed one language page with https prefix. Very strange. It must be stopped from indexing any https. Need to look into this. WIP.

      Multilingual conversion:

      Note that I'm using domains (de.domain.com, nl.domain.com) for languages. These are *not* prefixes as defined in Site configuration > Languages > Configure. It's: Domain name only.

      Security works on a per domain basis. This has implications for subdomains. It goes for SSL in general and also for the out of the box secure pages module.

      Standard set up is:
      a single (1) standard base location, like: http://www.mydomain.com
      a single (1) secure base location, like: https://www.mydomain.com

      Subdomains based security would need to be set additionally:

      a single (1) standard German base location, like: http://de.mydomain.com
      a single (1) secure German base location, like: https://de.mydomain.com

      I'll try multilingual variables (re i18n) to see if that will do it.

      Found all seven secure pages variables in the variable database table. Actually I only want to specify the paths, they are: securepages_basepath (for the normal/http path) and securepages_basepath_ssl (for the ssl/https path). I think this might work (re i18n).

      It's time to feed the fish in the pond.

      I'm using only these two variables in order to avoid confused ssl settings among the languages. Inserted in settings.php multilingual variables: They work. Super.

      The language switcher will not switch languages/domains while in ssl, but this is should probably be intended bahavior. Any user language switching will anyway be limited to the index page (if at all).

      Background note:
      A dedicated IP is mandatory for all SSL, in general. A security certificate is needed for all SSL. Cpanel creation of certificate may appear to work, but might possibly be inactive (and will then require host support). Certificate site name must be exact (re: with/without www, or en, de, fr, nl subdomains), this is where the language domains issue comes in; I recall subdomain wildcard certificates as principally possible, but costly. At minimum the certificate can be self-signed (lots of browser warnings), that should be ok during site development phase.

      Of course a good solution would be to switch from subdomain to prefix for all https pages, but that will require some code hacking... Don't know how to do it. Later.

      http://www.missingubercartmanual.com/Configuring-Your-Site-For-HTTPS-whe...
      http://www.ubercart.org/forum/ideas_and_suggestions/18278/setting_sslsec...
      http://www.ubercart.org/forum/support/1850/ssl_which_paths_do_you_protect
      http://www.besthostratings.com/articles/force-ssl-htaccess.html
      http://www.ubercart.org/forum/support/11460/paypal_and_ssl_support

Comments

Thanks this helped me setup

Submitted by Visitor on Fri, 20 May 2011 - 02:06.

Thanks this helped me setup securepages.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h2> <h3> <div>
  • Lines and paragraphs break automatically.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.

More information about formatting options

CAPTCHA
Thanks for your help in stopping spam.
Fill in the blank