Hi there, I have done some research on how to improve upon the plaintext-over-the-wire authentication mechanism that is currently in place for our drupal website. So far, it seems that three different schemes could work: 1. Using the 'securesite' module to implement http-digest-authentication. 2. Using both the 'secure pages' and the 'secure pages hijack prevention' module to switch the vulnerable pages (login, edit-profile, ...) over to https. 3. Using a small code fragment in settings.php to switch logged-in user sessions to https and keep anonymous access to http. Unfortunately, all methods seem to have some drawbacks: - According to a discussion on drupal.org, the securesite module does not yet allow to specify which pages it protects, so it seems that *all* pages would require authentication. We'd have to check, but if this really is the case, then method 1 is no solution, I guess. If we would be able to require authentication just for restricted pages, the new method of authentication would require all users to change their password. - using 2 or 3 would introduce the usual 'SSL-certificate not trusted'-warning by the browsers and would increase the load on the server to some extent (3 more than 2). Additionally, using SSL could slightly reduce the effectiveness of using an IDS to inspect (and drop some of) the traffic directed at our sites. We could avoid the browser warning by actually getting our certificate signed by one of the browser-implanted certificate authorities, but that costs money, of course. Any opinions or other ideas? cheers, Oliver ----------------------------------------------------------------------- haiku-web@xxxxxxxxxxxxx - Haiku Web & Developer Support Discussion List