TuQuoc.org

Yesterday, during lunch, I discussed with Hans about securing the login process of my drupal installation. And he remind that the session cookie shouldn't be transmitted from a HTTPS session to a HTTP session. Doing this, makes HTTPS cookie hijacking possible. To have a secure session cookie, the cookie should only be transmitted, when the connection is over HTTPS. Therefore, the cookie must have the "Encrypted Sessions Only"-bit enabled. Drupal doesn't offer any standard functionalities at the moment to set this bit on. So, you have to do it manually. Mike Perry explains on his blog how he has done it. I made the following changes to the setting.php:

Added:

if ($_SERVER['HTTPS']) {
  ini_set('session.cookie_secure', 1);
}

Changed:

Drupal now generates 2 session cookies. One with the "Encrypted Session Only"-bit enabled as soon as the site is opened on HTTPS and the regular one as soon as it is opened over HTTP.

All the administration stuff is now done over HTTPS (see: securing the login process of my drupal installation in conjunction with the new base_url). When the user switches back to HTTP, he wont be logged in anymore (back to HTTPS he will be again, if not logged out before).  The new base_url prevents Drupal to switch automatically to HTTP.

On Drupal.org you find a similar way to realize this. The step 4 is in my case not necessary because I defined in the VirtualHost conf the SSLRequireSSL for all the paths including user.