Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This project is not covered by Drupal’s security advisory policy.
The 443 Session module makes using HTTPS on your site simple. It is most useful for doing mixed HTTPS where some pages are sent via HTTP, and others via HTTPS. It can be used to protect credit card transactions or to protect against session hijacking (via tools such as Firesheep).
It also provides an API for designating if a page should be transmitted via HTTP or HTTPS.
How is this different from...
Setting up rewrite rules in .htaccess
While in theory it is possible to do this, it turns out to be very complicated once you consider things like login forms, canonical URLs, and AJAX. Nor is this method very robust - if $base_path changes, or if a login-block is added to a new page suddenly your site is no longer secure without any indication or warning.
Secure Pages module
In Drupal 6 Secure Pages module can only redirect users based on the URL path. This means that it cannot protect against session hijacking. You can use Secure Pages to protect URLs such as user* and admin* however this only gives the impression of security - it does little to keep data on these pages actually secure since any man-in-the-middle will have your PHP session cookie. Secure Pages is also not compatible with internationalization (i18n).
Secure Login module
Secure Login module cannot redirect authenticated users back to HTTPS if they accidentally visit a page via HTTP. Nor can it enforce a canonical URL for anonymous users. Nor can it be used to protect additional paths (such as a shopping cart). Secure Login only has partial support for internationalization (i18n).
443 Session module combines the best parts from both of the above modules.
Status for Drupal 7
Drupal 7 core uses different session cookies for HTTP/HTTPS (which share the same session in Drupal). This eliminates the most serious risks of session hijacking. Secure Pages D7 module also offers the ability to enforce authenticated users to use only HTTPS. However it is currently somewhat buggy. But fixing those bugs will be less effort than porting 443 Session to D7 (and reduce module duplication). Therefore 443 Session will not be ported to D7.
Limitations
Since 443 Session module uses separate session cookies for HTTP/HTTPS this means that when a user navigates from an HTTP page to an HTTPS page any session data will appear to be lost. This makes this module unsuitable for running an e-commerce site where most pages are HTTP except for the checkout which is HTTPS. In this case the user's cart contents would appear to be lost when they go to checkout. For this scenario please see the Mixed Session module.
More information about HTTPS
See
Enabling HTTP Secure (HTTPS)
Developed by
Dave Hansen-Lange
Advomatic LLC
http://advomatic.com
Kevin Mathis
http://www.laudr.com
Supporting organizations:
Development
Project information
Seeking new maintainer
The current maintainers are looking for new people to take ownership.
No further development
No longer developed by its maintainers.- Module categories: Security
21 sites report using this module- Created by sikjoy on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
