Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

securelogin

5,015 sites Security covered
View on drupal.org

For sites that are available via both HTTP and HTTPS, Secure Login ensures that the user login and other forms are submitted securely via HTTPS, thus preventing passwords, authenticated session cookies, and other private user data from being transmitted in the clear.

Secure Login locks down not just the user/login page but also any page containing the user login block, and any other forms that you configure to be secured.

Secure Login enforces secure authenticated session cookies, thus preventing session hijacking by eavesdroppers.

Note that in current versions of Drupal, unlike Drupal 7, anonymous insecure session data is not migrated to an authenticated secure session upon login; instead, an empty secure session is created.

Drupal 7

Secure Login is intended for sites that want to offer anonymous sessions via HTTP or HTTPS and authenticated sessions only via HTTPS. Anonymous insecure sessions are migrated to authenticated secure sessions upon login, with all session data intact. Secure Login is designed to work with Drupal 7's $conf['https'] setting at its default value, FALSE.

If you were to change $conf['https'] to TRUE, you would enable mixed-mode (HTTPS and HTTP) authenticated sessions: both secure and insecure session cookies are set when a user logs in to the HTTPS site. Other contributed modules, such as Secure Pages, may assist you with implementing mixed-mode authenticated sessions.

Drupal 6

Prior to Drupal 7, PHP's session.cookie_secure flag must be enabled on the HTTPS site to enforce secure authenticated session cookies.

Pro tip: HSTS

To help protect against SSL stripping attacks, add the Strict-Transport-Security header in your webserver or Security Kit module configuration, and add your domain to the browser HSTS preload list.

Credits

Secure Login is developed and maintained by mfb, along with other contributors from the community. You can support development by sponsoring or contributing. 🔐👷

Activity

Total releases
10
First release
Aug 2025
Latest release
7 months ago
Release cadence
2 days
Stability
90% stable

Release Timeline

Releases

Version Type Release date
2.0.3 Stable Sep 9, 2025
8.x-1.21 Stable Sep 9, 2025
2.0.2 Stable Sep 9, 2025
8.x-1.20 Stable Sep 9, 2025
2.0.1 Stable Sep 8, 2025
8.x-1.19 Stable Sep 8, 2025
2.0.0 Stable Sep 8, 2025
2.x-dev Dev Sep 8, 2025
8.x-1.18 Stable Aug 23, 2025
7.x-1.11 Stable Aug 23, 2025