Secure forms on secure pages are being redirected to unsecure.

Created on 22 July 2011, over 13 years ago
Updated 26 November 2024, 27 days ago

The securepages module has a hook_form_alter() hook to encrypt the login form, because it could appear on any page and not just a secure page.

However, it only seems to work for the user_login_block login form. On our site we built our own custom login form whose form_id is redirected to user_login_block via hook_forms(). In this case, I can get our form to submit to HTTPS the first time by simply setting $form['#https'] = TRUE. However, if the form is invalid (wrong username/password), the securepages module will reset it back to HTTP on the second submission.

function securepages_form_alter(&$form, &$form_state, $form_id) {
    // ..
    // When already in secure mode and submitting a login form to an arbitrary page, this will take it out of secure mode
    elseif ($page_match === 0 && securepages_is_secure() && variable_get('securepages_switch', FALSE)) {
      $url['https'] = FALSE;
      $url['absolute'] = TRUE;
      $form['#action'] = url($url['path'], $url);
    }
  }

  // If the user/login block matches, also secure the login block.
  if (securepages_match('user/login') && $form_id == 'user_login_block' && !securepages_is_secure()) {
    $form['#https'] = TRUE;
  }
}

It seems that an easy way to fix this would be to simply check for $form['#https'] and not take the form out of secure mode in this case. So, line 85 becomes:

    elseif (empty($form['#https']) && $page_match === 0 && securepages_is_secure() && variable_get('securepages_switch', FALSE)) {

On the other hand, submitting an unsecure form on a secure page throws a browser warning. Wouldn't it be better to always submit forms on secure pages in secure mode, and then redirect to insecure mode, if necessary, when the form is redirected after submission?

πŸ› Bug report
Status

Closed: outdated

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States amarcus

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡¦Ukraine AstonVictor

    I'm closing it because the issue was created a long time ago without any further steps.

    if you still need it then raise a new one.
    thanks

Production build 0.71.5 2024