[haiku-web] Authentication with Drupal
- From: Oliver Tappe <zooey@xxxxxxxxxxxxxxx>
- To: haiku-web@xxxxxxxxxxxxx
- Date: Wed, 25 Nov 2009 14:55:47 +0100
Hi there,
I have done some research on how to improve upon the plaintext-over-the-wire
authentication mechanism that is currently in place for our drupal website.
So far, it seems that three different schemes could work:
1. Using the 'securesite' module to implement http-digest-authentication.
2. Using both the 'secure pages' and the 'secure pages hijack prevention'
module to switch the vulnerable pages (login, edit-profile, ...) over to
https.
3. Using a small code fragment in settings.php to switch logged-in user
sessions to https and keep anonymous access to http.
Unfortunately, all methods seem to have some drawbacks:
- According to a discussion on drupal.org, the securesite module does not yet
allow to specify which pages it protects, so it seems that *all* pages would
require authentication. We'd have to check, but if this really is the case,
then method 1 is no solution, I guess.
If we would be able to require authentication just for restricted pages, the
new method of authentication would require all users to change their password.
- using 2 or 3 would introduce the usual 'SSL-certificate not
trusted'-warning by the browsers and would increase the load on the server to
some extent (3 more than 2). Additionally, using SSL could slightly reduce
the effectiveness of using an IDS to inspect (and drop some of) the traffic
directed at our sites.
We could avoid the browser warning by actually getting our certificate signed
by one of the browser-implanted certificate authorities, but that costs
money, of course.
Any opinions or other ideas?
cheers,
Oliver
-----------------------------------------------------------------------
haiku-web@xxxxxxxxxxxxx - Haiku Web & Developer Support Discussion List
Other related posts:
