Drupal - Redirect /user/login to HTTPS, all other requests to HTTP

You don't really need /user/login to be served via https; you need the user login form to be submitted via https.

You should take a look at the module securepages_prevent_hijack -- not to use it directly, since it depends on securepages, but to see how the login form is altered. Like so:

function securepages_prevent_hijack_form_alter(&$form, &$form_state, $form_id) {
  // Secure the login form, so that we always have a secure connection to transmit the
  // initial cookie.  Also, protect the password in transit.
  if ($form['#id'] == 'user-login-form' || $form['#id'] == 'user-login') {
    $url = parse_url($form['#action']);

    $base_path = base_path();
    $path = (!strncmp($url['path'], $base_path, drupal_strlen($base_path)) ? drupal_substr($url['path'], drupal_strlen($base_path)) : $url['path']);
    $options = array('secure' => TRUE);
    if (isset($url['query'])) {
      $options['query'] = $url['query'];
    }
    $form['#action'] = securepages_url($path, $options);
  }
}

You should also figure out whether the cookie that Drupal is setting for you is secure or not. This will depend on your settings in php.ini. Check to see if you have set session.cookie_secure to 1. If you have, then the cookie will not be sent to your http sessions, which could be why you are ending back at the home page (no session cookie == no session == no login info == log out). Of course, if the session.cookie_secure is 0, then it might be possible for other parties to observe your session cookies in transit, and masquerade as your users. Perhaps you have already considered this risk, but it does bear some consideration.


I think the Secure Login module will also do what you want without requiring you to hack the core.

Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text.


I think you can try Secure Pages again, as since then they've release the new stable version.

For Drupal 8, check: Secure Login module.

See also: Enabling HTTP Secure (HTTPS).

Tags:

.Htaccess

7