SECURE LOGIN MODULE
-------------------

Secure Login module enables secure logins by submitting the login form
to a secure host address.  The module can also do the same for the user
edit, user registration, and other forms, so that passwords and other
data are never sent in cleartext.

A secure login to Drupal 7 by default generates an HTTPS-only secure
session[1], which also prevents session cookies from being sent in
cleartext.  Note, however, that if you have enabled Drupal's hidden
$conf['https'] setting, sessions are shared across HTTP and HTTPS, which
makes user sessions vulnerable to session hijacking attacks[2].  Secure
Login module is therefore designed for sites that have left
$conf['https'] at its default value, FALSE.

INSTALLATION
------------

See INSTALL.txt for instructions on how to install and uninstall the module.

Before enabling the module, you need to set up your server to support
SSL.  The result should be that if you Drupal site lives at
http://host.domain/dir/, it should also be accessible at
https://otherhost.domain/otherdir/ (the secure base URL, which defaults
to https://host.domain/dir/).  If you use a different URL for the secure
site, you must make sure that cookies coming from host.domain can be
sent to otherhost.domain.  You can change the cookie domain in
settings.php.

CONFIGURATION
-------------

At admin/config/people/securelogin you can set which forms (login, login
block, user edit, user registration, node, comment, contact, webform,
etc.) are secured by this module.  By securing all forms in the
"required" group on the settings page, you can ensure that logins are in
fact "secure": all authenticated sessions will use SSL-only secure
session cookies which are immune to session hijacking by eavesdroppers.

UPGRADING FROM DRUPAL 6
-----------------------

Your Secure Login settings should be correctly migrated from Drupal 6 to
Drupal 7.  Note, however, that the Drupal 7 version of Secure Login does
not currently support redirecting a secure authenticated session back to
the HTTP site.  Doing so would require creating an insecure session,
which would be vulnerable to session hijacking and is thus not a secure
configuration.

KNOWN ISSUES
------------

For multilingual sites, Secure Login is not compatible with domain
language detection, but should work with path prefix language codes.

DEVELOPER API
-------------

This module provides two API functions for developers:
- securelogin_secure_form($form) may be added to a hook_form_alter
  implementation to cause a form to submit to the secure URL.
- securelogin_secure_redirect() may be called to redirect the current
  request to the equivalent path on the secure base URL.

In addition, developers may use $form['#https'] = TRUE in indicate that
a form should be secured by Secure Login module, and $options['https'] =
TRUE to indicate that an HTTPS URL should be generated by the url()
function, as well as other functions that use url() internally such as
drupal_goto().

[1] http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-secure
[2] http://en.wikipedia.org/wiki/Session_hijacking
