You are here

Drupal secure pages module

Updated 4 September 2012. Created by janroe 12 October 2009.

Updated 21 April 2012 and 27 August 2012

Drupal Secure Pages module
http://drupal.org/project/securepages for 6.x-1.8 with D6.14 on 2009-10-03
updated for 6.x-1.9 with D6.22 on 2011-12-28

Required

A dedicated IP and SSL Security Certificate installation are needed before enabling the module. There is a warning not to try it without these crucial prerequisites.

Main function

Make certain pages secure, specifying them as https.

Example function

When you want to make the entry and view of personal information or purchase information secure.

Manage

- Enable/disable again in its own admin section.
- Option: Switch back to http pages when there are no matches.
- Enter the: Non-secure Base URL
- Enter the: Secure Base URL
- Specify which pages will be secure: All except listed/only listed
- Specify ignored pages

Experience

This has been working. Problems have occurred after server upgrades, Drupal core upgrades, secure pages upgrades as well after upgrading contributed modules "Admin menu" and Übercart. For errors and possible solutions see further below.

Settings

Complete settings that work with Ubercart and Admin menu modules:
This puts the shopping cart, user interaction and admin section into SSL /https.

Pages:

node/add*
node/*/edit
user
user/*
admin
admin/*
cart
cart/*

Complete ignore pages:

*/autocomplete/*
*/ajax/*
js/*
*imce*

But there are many different needs and opinions.

On which pages to use?
Of course it depends on the site:

  • User pages should be encrypted: User login, registration and lost password pages, where the user enters username and login password.
  • Admin section: maybe not really needed for a normal site. There's nothing really there that is sensitive data, as far as I'm concerned.
  • Node changes: maybe also not needed for a normal site that does not contain sensitive data. If the data is sensitive, then yes, including the admin section.
  • Shopping cart should be fully encrypted: cart, checkout, confirmation, payment, payment gateway connection, order forms, customers and order summaries. The product catalogue is not encrypted.
Details for the list above

SSL node adding and editing:
node/add*
node/*/edit

SSL user interaction:
user
user/*

SSL complete admin section access:
admin
admin/*

SSL Ubercart's cart and checkout:
cart*
cart/*

Other source has a long list:
http://www.ubercart.org/forum/support/1850/ssl_which_paths_do_you_protect.

Add more to Ignore pages (may not be needed, not included above):

*/admin_ajax/*
uc_paypal/*
cgi-bin/webscr

Source: not noted.

Administration menu in SSL

For contributed module Administration menu, need to add (as included above):

js/*

Source: http://drupal.org/node/498754 and another indication at http://drupal.org/node/774634 (Ubercart SSL, which I do not use). There does not appear to be any handbook documentation on this.

Errors

Partially encrypted pages

Partial encryption will cause the browser padlock to disappear or give a warning - not good. This is a major headache. After fixing things, the issue may return when modules are updated.

JS Optimisation

When disabling JS optimization in admin > site configuration > performance, Ubercart's shopping cart block creates a JS error that results in partially encrypted pages. To fix it, re-enable JS optimization.

Images

Some module's images may have incorrect permissions, generating behind the scenes errors (403 and 404 page not found), disallowing them from showing up in SSL, and finally causing "partial encryption" horror.

These can be identified with firebug, or browsers that will show missing images more clearly (chrome). Specifically:

  • cart arrows in uc_cart with permission 640 can't show in ssl, change to 644 (this may have been fixed in newer UC version)
  • paypal's included credit card images in uc_credit with permission 740 can't show in ssl, change to 644 (not fixed in current UC version)

Not sure why public images would have been assigned 640 or 740 permission. World users should have at least "read" = 4 a the end.

Other modules might generate different issues, but solutions may be similar.

Contributed module Admin menu not showing in SSL:

I fixed this issue, but unfortunately did not note it here. More in detail:

For a multilingual site using i18n, the contributed administration menu suddenly stopped working in SSL.On other sites on the same shared server, but not multilingual it is working fine.

With admin_menu module enabled and included for SSL, the page is trying to access:

http://www.mysite.com/js/admin_menu/cache/xxyyzzetc.

This is NOT https, and results in 403 Forbidden (permission denied), or (lately) 503 Service unavailable. I guess this is enough for the admin menu not to appear. This despite js/* or any *js* combination specified in Ignore pages - as described in similar/SAME case http://drupal.org/node/498754.

Where is this cache? There are numbered js files in sites/default/files/js, but numbering does not correspond to the error. There is a cache_admin_menu table in the database. Emptying (not dropping) this table makes the admin menu appear! But only once. Any next page and the error is back (with the same cache number).

Clearing cache by performance menu, or specifically the administration menu cache by admin menu cache flush, does not clear this issue.

There's something related here, referring to cache, http, favicon:
http://drupal.org/node/1055172

Tried all the below for both the "partially encrypted" issue (now solved) and the administration menu not showing in SSL (not solved). Earlier I thought the issues are related, but solving the first without the second proves they are not:

Cache

Flushing all site and browser caches has no effect at any time.

$base_url

Source: http://drupal.org/node/863562:
Disabling the value for $base_url in settings.php has no effect.
The patch workaround has no effect.

Performance

Changing performance settings (cache, compression or optimisation) has no effect.

.htaccess

Source: http://www.missingubercartmanual.com/Configuring-Your-Site-For-HTTPS-whe... has an .htaccess suggestion, but uncertain to work on subdomain language sites. It also shows that if all else has been tried, it's possible that the SSL certificate was installed incorrectly (Post: Wow. Honestly, I had no idea...). More on .htaccess:
http://www.ubercart.org/forum/support/1850/ssl_which_paths_do_you_protect
http://www.besthostratings.com/articles/force-ssl-htaccess.html
http://www.ubercart.org/forum/ideas_and_suggestions/18278/setting_sslsec...

Other potential causes

Disabling and fully uninstalling both the secure pages and admin menu modules did not work either.

Tried the Übercart SSL module http://drupal.org/project/uc_ssl. Guess what, that either puts the entire site into SSL (always) or nothing. Not useful.

Finally I solved it through insertion of code, but I can't find either the code or the source now. I'll put it up as soon as I find it (my apolgies).

G*ogle Problem:

G is indexing https pages. I don't believe the entire site was ever SSL'd, except possibly during setup trial for a few minutes or so. And I initially thought it would not do that. But it has indexed one language page with https prefix. Very strange. It must be stopped from indexing any https. Need to look into this. WIP.

Multilingual conversion:

Note that I'm using subdomains (de.domain.com, nl.domain.com) for languages. These are *not* prefixes as defined in Site configuration > Languages > Configure. It's: Domain name only.

Security works on a per domain basis. This has implications for subdomains. It goes for SSL in general and also for the box secure pages module.

Standard set up is:
a single (1) standard base location, like: http://www.mydomain.com
a single (1) secure base location, like: https://www.mydomain.com

Subdomains based security would need to be set additionally:

a single (1) standard German base location, like: http://de.mydomain.com
a single (1) secure German base location, like: https://de.mydomain.com

I'll try multilingual variables (re i18n) to see if that will do it.

Found all seven secure pages variables in the variable database table. Actually I only want to specify the paths, they are: securepages_basepath (for the normal/http path) and securepages_basepath_ssl (for the ssl/https path). I think this might work (re i18n).

It's time to feed the fish in the pond.

I'm using only these two variables in order to avoid confused ssl settings among the languages. Inserted in settings.php multilingual variables: They work. Super.

The language switcher will not switch languages/domains while in ssl, but this is should probably be intended bahavior. Any user language switching will anyway be limited to the index page (if at all).

Background note:

A dedicated IP is mandatory for all SSL, in general. A security certificate is needed for all SSL. Cpanel creation of certificate may appear to work, but might possibly be inactive (and will then require host support). Certificate site name must be exact (re: with/without www, or en, de, fr, nl subdomains), this is where the language domains issue comes in; I recall subdomain wildcard certificates as principally possible, but costly. At minimum the certificate can be self-signed (lots of browser warnings), that should be ok during site development phase.

Of course a good solution would be to switch from subdomain to prefix for all https pages... better to leave that alone.

Comments

helinlin20170909
cheap jordan shoes
cheap ray ban sunglasses
tory burch shoes
north face jackets
retro 11
ugg boots
adidas nmd runner
yeezy shoes
canada goose jackets
pandora jewelry
ralph lauren outlet
michael kors outlet clearance
polo ralph lauren outlet online
uggs on sale
toms
coach factory outlet online
christian louboutin shoes
coach outlet online
cheap ray ban sunglasses
coach outlet store online
kate spade outlet online
moncler outlet online
discount oakley sunglasses
the north face outlet
kate spade outlet online
ray ban sunglasses sale
birkenstock uk
ray ban sunglasses discount
canada goose coats
ugg outlet
michael kors outlet store
birkenstocks
coach outlet online
coach outlet online
coach outlet store online
polo ralph lauren outlet online
ugg outlet
pandora charms outlet
ugg
nike outlet store online
canada goose jackets
yeezy boost 350
kate spade handbags
pandora charms sale clearance
ralph lauren sale
nike outlet store
ugg boots
jordans
cheap ugg sale
pandora charms
cheap jordans for sale
uggs outlet
longchamp handbags
longchamp bags
ugg outlet online
michael kors
ugg outlet
ralph lauren outlet online
air max
ralph lauren
michael kors outlet online
moncler pas cher
air jordan shoes
moncler jackets
kate spade handbags
pandora jewelry outlet
oakley sunglasses outlet
ralph lauren outlet online
pandora charms sale clearance
uggs outlet
coach factory outlet online
michael kors
coach outlet online
louis vuitton outlet online
discount oakley sunglasses
caterpillar boots
ugg boots
pandora charms outlet
toms
cheap oakley sunglasses
polo ralph lauren outlet
ralph lauren outlet
pandora outlet
michael kors outlet store
cheap jordan shoes
ugg outlet online
ray bans
pandora charms sale clearance
coach factory outlet online
uggs outlet
pandora charms
coach purses
red bottom heels
christian louboutin sale
ray ban sunglasses outlet
yeezy boost
canada goose outlet
tory burch outlet online
polo ralph lauren outlet online
polo ralph lauren outlet online
nfl jerseys cheap
louis vuitton factory outlet
coach outlet online
timberland outlet store
coach outlet online
cheap uggs
christian louboutin shoes
valentino
ralph lauren outlet
coach factory outlet
ralph lauren outlet
louboutin outlet
fitflop sandals
pandora charms sale clearance
canada goose jackets
ralph lauren sale
polo ralph lauren outlet
canada goose jackets
louboutin outlet
canada goose sale
kate spade outlet online
cheap nfl jerseys wholesale
coach outlet online
bottes ugg
uggs
ugg boots
adidas store
yeezy boost 350
oakley sunglasses outlet
michael kors bags
ugg canada
polo ralph lauren outlet
yeezy shoes
beats wireless headphones
canada goose
coach outlet online
polo ralph lauren outlet
burberry uk
pandora jewelry
christian louboutin sale
cheap jerseys
birkenstock outlet
cheap jordan shoes
cheap uggs
red bottom
pandora
polo ralph lauren outlet
polo ralph lauren outlet
coach factory outlet
pandora uk
superdry sale
pandora charms outlet
cheap oakley sunglasses
nike air max 2018
canada goose jackets
louis vuitton outlet online
ralph lauren uk
uggs outlet
canada goose jackets
oakley sunglasses outlet
ray ban glasses
coach outlet store
toms outlet
canada goose coats
hermes bags
pandora charms sale
coach outlet online
burberry outlet
michael kors outlet online
coach outlet online
michael kors outlet online
fitflops sale clearance
pandora charms sale
burberry handbags
adidas yeezy boost
coach outlet store
ray ban glasses
coach outlet online
ugg boots
ray ban sunglasses cheap
burberry outlet online
mulberry uk
ugg outlet online
ralph lauren sale clearance uk
michael kors outlet store
coach outlet online
uggs outlet
gucci outlet online
ugg slippers
michael kors outlet clearance
coach factory outlet online
longchamp
longchamp sale
ugg on sale
moncler outlet online
adidas outlet online
pandora charms
birkenstock shoes
beats headphones
air jordan retro
uggs outlet
ralph lauren
polo ralph lauren
canada goose outlet
coach outlet canada
mlb jerseys whgolesale
ugg shoes
ralph lauren outlet online
coach outlet online
longchamps
coach factory outlet
coach outlet online
michael kors outlet clearance
kate spade outlet
mulberry handbags
uggs outlet
coach outlet store
yeezy shoes
cheap jordan shoes
michael kors outlet canada
hermes bag
yeezy boost 350
supreme london
adidas outlet store
nfl jerseys wholesale
nike sneakers
ralph lauren
kate spade outlet
valentino outlet
adidas yeezy shoes
nike cortez classic
christian louboutin shoes
coach factory outlet online
canada goose parka
ralph lauren sale
polo ralph lauren
christian louboutin shoes
hermes bags
moncler coats
ugg boots outlet
coach factory outlet online
cheap ugg boots
mulberry outlet uk
ray ban glasses
adidas yeezy boost
coach outlet online
uggs outlet
kate spade handbags
nike outlet online
ray ban sunglasses discount
mlb jerseys
michael kors outlet online
coach handbags outlet
red bottoms
ugg boots women
nike sneakers
mulberry
michael kors outlet store
supreme clothing
coach outlet online
uggs outlet
coach outlet canada
adidas superstar shoes
pandora jewelry outlet
nfl jerseys
pandora charms sale clearance
michael kors handbags outlet
louis vuitton outlet store
birkenstock outlet store
birkin handbags
yeezy boost
coach factory outlet online
coach factory outlet online
louboutin shoes
mlb jerseys
michael kors bags
ugg boots
christian louboutin shoes
michael kors
michael kors outlet online
birkenstock
toms outlet
pandora jewelry store
mbt
ugg sale
canada goose clothing
moncler
polo ralph lauren outlet online
adidas ultra boost
adidas nmd runner
moncler outlet online
cheap ugg boots
moncler jackets
michael kors
michael kors outlet store
polo ralph lauren outlet
canada goose coats
coach factory outlet online
coach factory outlet online
ralph lauren sale clearance uk
toms
mlb jerseys
discount oakley sunglasses
pandora charms outlet
uggs outlet
harden shoes
longchamp bags
ray ban sunglasses outlet
superdry outlet
coach factory outlet
nike outlet store
ugg boots outlet
nmd adidas
adidas nmd r1
burberry outlet
cheap air jordans
michael kors uk
harden vol 1
adidas sneakers
adidas outlet online
canada goose jackets
hermes outlet
canada goose jackets uk
ugg boots outlet
michael kors outlet online
coach factory outlet online
canada goose jacket
birkenstock outlet
cheap ugg boots
cheap ugg boots
adidas outlet store
michael kors outlet canada
cheap ray ban sunglasses
coach outlet store online clearance
adidas yeezy boost 350
nike outlet
oakley sunglasses outlet
cheap nike shoes
canada goose
ralph lauren uk
polo ralph lauren outlet online
coach outlet store online
nike huarache shoes
adidas nmd r1
adidas nmd r1
nike shoes
adidas nmd runner
birkenstock shoes
coach outlet online
helinlin20170909

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
Thanks for your help in stopping spam.
Fill in the blank.