When you visit a site via HTTPS the URL looks like this: https://drupal.org/user/login. When you visit a site via plain (unencrypted) HTTP, it looks like this: http://drupal.org/user/login.
Why is it important to you (and when)
HTTPS is typically used in situations where a user would send sensitive information to a website and interception of that information would be a problem. Commonly this means:- Credit cards
- Passwords and Usernames
- Identifiable information (Social Security number, State ID numbers, etc)
- Confidential content
HTTPS also prevents eavesdroppers from obtaining your authenticated session key, which is a cookie sent from your browser with each request to the site, and using it to impersonate you. For example, an attacker may gain administrative access to the site if you are a site administrator accessing the site via HTTP rather than HTTPS. This is known as session hijacking.
For more information and updates about Drupal Development, Drupal Experts and Drupal Programmers visit at http://www.dckap.com
How to enable HTTPS support in Drupal
Web server configuration
- Get a certificate. many hosting providers set these up for you - either automatically or for a fee. Simply ask your hosting provider.
- Configure your web server. Here are the Apache instructions . Chances are, your webhost will do this for you if you are on shared hosting.
Drupal configuration
- If you want to support mixed-mode HTTPS and HTTP sessions (i.e. when you login on the HTTPS site, an additional insecure session cookie will be created allowing you to also be logged in on the HTTP site), open up sites/default/settings.php and add
$conf['https'] = TRUE;
Note that this configuration is less secure because the insecure session key will be passed across the network unencrypted, allowing authenticated sessions to be sidejacked. You will need to use contributed modules to prevent hijacked insecure sessions from submitting forms, viewing private data, impersonating users, etc.
A hijacked insecure session can only be used by attackers (or penetration testers) to gain authenticated access to the HTTP site. It will not be valid on the HTTPS site.
- For better security, leave
$conf['https']
at the default value (FALSE
) and setup your site to use HTTPS for all authenticated sessions and HTTP for anonymous sessions. Regardless of the$conf['https']
setting, Drupal 7 automatically enables thesession.cookie_secure
PHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser.