Hi, you could try Secure Login module. Disable the Secure Login setting that redirects https logins back to http. In apache, configure the https vhost to enable the PHP session.cookie_secure setting. Now all logins will be via https and the authenticated session cookie will only be sent from/to the https site (anonymous sessions on http will still be possible as long as you only enable session.cookie_secure on the https site).
--mark B. On Jan 9, 2011 12:37 AM, "Austin Einter" <austin.ein...@gmail.com> wrote: > Hi All > I just made a site using Drupal6.2 and in front page I have kept "user > login" block. I hosted this site using some third party web server. > > I tried to login to new site from my PC using my user name and password and > prior to that I was capturing the packets those were being send/received by > my PC. > By checking few packets content I could figure out the user name and > password in plain text. > > So it looks others can see these packets and get the administrative user > name and corresponding password and hence can modify site content and it is > really dangerous. > I assume people must have thought of it and there should be some way to make > sure username and password should be encrypted by default hence avoidimg > third party role in site content modification. > > Please guide in this regard and provide some pointers how can I make > username/password secure while logging in sites based on Drupal. > > Regards > Austin
