Drupal - Redirect /user/login to HTTPS, all other requests to HTTP

You don't really need /user/login to be served via https; you need the user login form to be submitted via https.

You should take a look at the module securepages_prevent_hijack -- not to use it directly, since it depends on securepages, but to see how the login form is altered. Like so:

function securepages_prevent_hijack_form_alter(&$form, &$form_state, $form_id) {
  // Secure the login form, so that we always have a secure connection to transmit the
  // initial cookie.  Also, protect the password in transit.
  if ($form['#id'] == 'user-login-form' || $form['#id'] == 'user-login') {
    $url = parse_url($form['#action']);

    $base_path = base_path();
    $path = (!strncmp($url['path'], $base_path, drupal_strlen($base_path)) ? drupal_substr($url['path'], drupal_strlen($base_path)) : $url['path']);
    $options = array('secure' => TRUE);
    if (isset($url['query'])) {
      $options['query'] = $url['query'];
    }
    $form['#action'] = securepages_url($path, $options);
  }
}

You should also figure out whether the cookie that Drupal is setting for you is secure or not. This will depend on your settings in php.ini. Check to see if you have set session.cookie_secure to 1. If you have, then the cookie will not be sent to your http sessions, which could be why you are ending back at the home page (no session cookie == no session == no login info == log out). Of course, if the session.cookie_secure is 0, then it might be possible for other parties to observe your session cookies in transit, and masquerade as your users. Perhaps you have already considered this risk, but it does bear some consideration.


I think the Secure Login module will also do what you want without requiring you to hack the core.

Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text.


I think you can try Secure Pages again, as since then they've release the new stable version.

For Drupal 8, check: Secure Login module.

See also: Enabling HTTP Secure (HTTPS).

Tags:

.Htaccess

7

Related

Drupal - Sending a value to JavaScript Drupal - How to get the URL of a file located in the theme folder? Drupal - Is there a function to get the current user object that avoids accessing the global variable? Drupal - Changing url of exposed filter Drupal - How can i enable automatic path creating for all nodes? Drupal - Custom validation for a form? Drupal - Looking for Acquia Dev Desktop database settings Drupal - Should I be using node_load() rather than building my own queries with db_select()? Drupal - How can I get both "body" and "summary" fields to appear in a new article? Drupal - Any advantage to using Profile2 module vs. custom user account fields? Drupal - When is it appropriate to create an Entity versus just adding a new content type? Drupal - Easiest way to test email notifications locally?

Recent Posts