// $Id: README.txt,v 1.4.2.4 2010/10/30 01:53:15 mfb Exp $

SECURE LOGIN MODULE README
--------------------------

Secure Login module enables secure logins by submitting the login form 
to a secure host address.  The module can also do the same for the user 
edit, user registration, and other forms, so that passwords and other 
data are never sent in cleartext.

A secure login to Drupal 7 by default generates an HTTPS-only secure 
session[1], which also prevents session cookies from being sent in 
cleartext.  Note, however, that if you have enabled Drupal's hidden 
$conf['https'] setting, sessions are shared across HTTP and HTTPS, which 
makes user sessions vulnerable to session hijacking attacks[2].

INSTALLATION
------------

See INSTALL.txt for instructions on how to install the module.

Before enabling the module, you need to set up your server to support 
SSL.  The result should be that if you Drupal site lives at 
http://host.domain/dir/, it should also be accessible at 
https://otherhost.domain/otherdir/ (the secure base URL, which defaults 
to https://host.domain/dir/).  You must make sure that cookies coming 
from otherhost.domain will be sent to host.domain.  You can change the 
cookie domain in settings.php.

CONFIGURATION
-------------

You can set which of six forms (login, login block, user edit, user 
registration, node, and comment) are secured by this module in the 
module settings, although there will usually be no reason why you would 
not want at least both of the user login forms to be secured.

UPGRADING FROM DRUPAL 6
-----------------------

Your Secure Login settings should be correctly migrated from Drupal 6 to 
Drupal 7.  Note, however, that the Drupal 7 version of Secure Login does 
not currently support redirecting a secure authenticated session back to 
the HTTP site.  Doing so would require creating an insecure session, 
which would be vulnerable to session hijacking and is thus not a secure 
configuration.

KNOWN ISSUES
------------

For multilingual sites, Secure Login is not compatible with domain 
language detection, but should work with path prefix language codes.

APIS FOR DEVELOPERS
-------------------

This module provides two API functions for developers:
- securelogin_secure_form($form) may be added to a hook_form_alter 
  implementation to cause a form to submit to the secure URL.
- securelogin_secure_redirect() may be called to redirect the current 
  request to the equivalent path on the secure base URL.

In addition, developers may use $form['#https'] = TRUE in indicate that 
a form should be secured by Secure Login module, and $options['https'] = 
TRUE to indicate that an HTTPS URL should be generated by the url() 
function, as well as other functions that use url() internally such as 
drupal_goto().

[1] http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-secure
[2] http://en.wikipedia.org/wiki/Session_hijacking
