Best Drupal Recipe? SSL and Non-SSL for Anonymous Users

By
Tom
July 21, 2011Posted in: Articles, General, Picks

Photo By loop_oh

Two of our largest sites have run on Drupal since 2007. That was Drupal 4.7 for those who knew Drupal in those days. :) From day one, these sites allowed for online donations from anonymous users. Since we started on Drupal 4.7, LOTS of custom code was written. On Drupal 5 we began using the Secure Pages module to help the switching between HTTPS and HTTP for various URL paths and such. This wasn’t without it’s share of bugs which much has been fixed. Today we are on Drupal 6 but we’ve also grown up. Our hosting is now across multiple servers, dedicated DB server, memcache, etc… These performance and scalability changes has seemed to highlight some additional challenges with secure pages.

This is not a bash on the secure pages module, however it has caused me to think about architecture and strategy. See, these sites are not the typical “Here’s our non-profit and here is a form you can give donation through.” Instead we have 50+ different giving forms for different programs, partnerships and experiences with more being creating weekly it seems. Forcing a user to create an online account in order to donate is not an option. We have recently implemented integration between SalesForce.com and these Drupal sites. This integration with the CRM solution means that in short order, users on these Drupal sites will be able to see information about their partnership, contributions, pledges, update their contact information, make more decsions about how they interact and partner with this organization and more. Anticipated traffic spikes are going to require us to add Pressflow and varnish to our configuration in the near future.

All this to say that there is a definite need to secure a number pieces of these sites, but the majority of content is still really anonymous user content. So here is my question to the community of medium to large sites on Drupal that have the need for mixed HTTPS/HTTP traffic:

What’s the best recipe in Drupal 6 & 7 for ensuring certain, but not all pages, including login, user and other content types or paths, are delivered via HTTPS while the rest of the site is HTTP?

Actually wondering if a better approach is to have anything needing SSL to be delivered from a subdomain (secure.mydomain.com) that points to the same Drupal instance.

Curious how others deal with this for client projects. What’s your experience been?

 

Popularity: 1% [?]

Tags: , , , ,

About Tom

Christ follower, husband, father, technology and photography enthusiast. Attempting to live life out as a light in this world and stumbling at times in this fallen world. Got a topic you want to have me look into? Did I miss something in a post? Let me know. Just add a comment below.