Drupal Planet

Mixed sessions refers to providing, with respect to a user visiting a site, some content over an insecure (HTTP) connection and other content over a secure (HTTPS) connection. A quick online search reveals the widespread problem of supporting mixed sessions. For example, simply redirecting to a secure connection does not eliminate the possibility of session hijacking. To avoid the issues, some sites have gone to all HTTPS sessions (e.g. github). Others have implemented a mixed environment with varying degrees of success. In the Drupal world, Drupal 7 does a better job of addressing these concerns than earlier versions. If you have a Drupal 6 site that wants to implement mixed sessions, what are your options?

Client situation

I have a Drupal 6 client situation involving an online shop that allows you to buy products without having to register for an account. The usage preferences are for:

• visitors to shop (i.e. browse products and add products to the cart) in insecure mode
• visitors to switch to secure mode for checkout
• site administrators to access the backend in secure mode

To complicate matters, the client:

• sponsors three commerce sites with shared product content (using the domain module)
• provides shopping cart features on two of the three sites

From a technical standpoint, we want to:

• retain session data when switching between security modes (i.e. between HTTP and HTTPS connections)
• avoid session hijacking

Possible solutions

Several modules are available for Drupal 6 that make it easy to switch between security modes. These include:

• securepages (and prevent_hijack)
• session443
• uc_ssl

These modules provide various configuration settings to indicate which pages to serve up over HTTP or HTTPS. When a request comes in using HTTPS, Drupal core creates a second session record for the user in the "sessions" table of the database. This second session knows nothing about the first session. For example, if there is "data" associated with the first session, this is unknown to the secure session.

The first two modules attempt to address the problem of session hijacking (by creating another cookie), while the third does not. However, during the switch from insecure to secure mode, none of these modules (in conjunction with Drupal core) preserves the session data. Thus, the visitors to your site can add products to their cart over HTTP sessions, but their cart information is lost when they go to checkout using the new HTTPS session. They are greeted with a message like "There are no products in your shopping cart." For this use case, none of these modules (in conjunction with Drupal core) provides a solution.

Drupal 7 and 8 approach

In Drupal 7, the dual session situation is handled with two session IDs on a single record in the sessions table, one ID each for the insecure and secure sessions. Inherent to this design, the session data is automatically shared between the sessions. The cookie for the secure ID is only transmitted over a secure connection. To further address the problem of session hijacking, the session IDs are regenerated when the visitor switches to secure mode (referred to as a "step up").

However, even the Drupal 7 and 8 implementation has some flaws such as:

• after a user switches several times between HTTP and HTTPS, they end with "multiple" entries in the sessions table
• does not address security concerns with a step down from HTTPS to HTTP

These concerns are discussed in these issues:

• 1131986
• 1050746

A Drupal 6 solution

Out of all this, I created the Mixed Session module for Drupal 6 that:

• (AFAIK) securely implements mixed sessions
• regenerates session IDs on step up and step down
• preserves session data between session modes
• provides configurable rules for redirecting page requests to secure or insecure mode

This module:

• includes a core patch to back-port the Drupal 7 dual session ID approach
• incorporates concepts mentioned in the issues referenced above
• transmits the secure ID only when in secure mode
• regenerates the insecure session ID when switching to of from secure mode
• implements four types of redirect rules to enter and exit secure mode

Redirect rules are available for:

• overall: never redirect, always redirect, or redirect based on rules below
• content: if the page includes a particular form (e.g. a login block)
• path: the request URL
• user state: anonymous or authenticated

The module also declares two API hooks through which a developer can incorporate more complex redirect rules.

With this module you can easily handle the client situation mentioned at the outset. You can also handle other configurations, such as:

• redirecting site administrators to view all site content in secure mode using HTTPS connections
• redirecting authenticated shoppers to secure mode when viewing their account pages.

Scope: Planet DrupalTags: httpssessionsecurityssl

We spent a few hours trying to figure out how to use Color to make our custom Drupal 6 theme configurable. Color rewrites your CSS to include the user-configured colours, and adds the resulting stylesheet link to your header.

The first trick was to get the colour picker to show up on the theme settings page. The documentation wasn’t clear, but the easiest way to get started seems to be to copy the color/ directory from the Garland theme into a subdirectory of your theme, and then customize it from there. You will also need to follow the Drupal 6 or Drupal 7-specific instructions for calling the Colour module when preprocessing pages.

Color searches your style.css (and imported stylesheets or other stylesheets defined by the ‘css’ part of your $info array) for colour definitions. Any colour that exactly matches one of the colours defined in the default scheme is replaced by the colour in the selected scheme, with the caveat that the base colour should not appear in the stylesheet. If the base colour is found in the stylesheet, it will be replaced by an empty string. In your stylesheet, make sure your base colour uses the shortened version (ex: replace #cccccc with #ccc) or use a very similar colour instead (ex: #cbcbcb).

So, the easy way to colourize your theme:

1. Enable Color, if you haven’t yet.
2. Copy the color directory from the Garland theme into your theme

Color will attempt to figure out unspecified colours based on those colours’ relationship with the base colour. This can lead to interesting combinations. If there are colours you do not want Color to change, put them in a section after a comment like this:

/******************************************************************* * Color Module: Don't touch * *******************************************************************/

All colours specified after that comment will not be rewritten.

Some gotchas to watch out for:

• It’s probably a good idea to add a comment to your style.css reminding developers to resubmit the colour settings after making changes to the stylesheet. Color rewrites the stylesheet, so changes aren’t picked up until the stylesheet is regenerated.
• The Color preview appears to use hardcoded HTML. The gradient is created by color.js, and there doesn’t seem to be a way around it. Our workaround is to use CSS to hide both the preview and the header above it. Unfortunately, there is no div that encloses both the header and the preview.

Read the original or check out the comments on: Drupal 6: Adding color support to your theme (Sacha Chua's blog)

ELMS Alpha 6 was released yesterday and in keeping with our releases I wanted to do a recap of developments with the project and why it's important for the Drupal community at large. Download ELMS btopro drupal.org profile

read more

Following this great article from Howard Tyson @Zivtech, I felt I must demonstrate how easy it would be to build the exact same responsive grid with Sasson.

What we're doing is configuring a responsive layout based on 960 grid system using Sass, that means that instead of applying the grid classes to our markup, we're applying them to our element IDs thus keeping a clean and semantic markup and separating content from style.

Now, enough with the geek talk and let's see how simple that is. Basically all you need to do is to set the desired values in this form:

And if you want to set different break points you may configure them on this tab:

So with this minimal effort we have set a grid based layout which is responsive and will adapt to the device it is viewed on.
As a matter of fact, even this little effort is optional. in case the default values that ship with Sasson suites your needs, all you have to do is download and enable it, done.
So why use a base theme ? because it does all this for you, because you don't want to do this again and again every time you start a project, because it keeps you up-to-date with latest technologies and sometimes it can even teach you a thing or two.
Happy sub-theming :)

Hello Business Leaders!

we plan the Drupal Business Days in Vienna to become a very powerful event that allows you to get your Drupal business further!

On May 3th - 5th we will have three days of business discussions, keynotes, products, startups, pitches, fun and more fun!

Register at: www.drupalbusiness.org - We have several actions for you that give you the perfect possibility to get involved...

• Sessions - Tell us your idea, whom you want to see, or propose your presentation!
• Sponsors - Do you want to position your company as a business leader? Or you know someone who should do so?
• Media Partners - you want to be a media partner, write about or advertise the Drupal Business Days and get some attention in return?
• Drupal Business Associate - You want to be part of the organizational team and help make this event big?

If one of these points concerns you - get in touch with us via the contact form or at office { a } drupalbusiness.org !

More Info here: www.drupalbusiness.org

Drupalcamps Europe [international & english]

I know it's late, but here's what happened in January.

The Modules Unraveled Podcast is going strong!

Most of my January was consumed with starting a new podcast. Check it out on my website or subscribe in iTunes, and let me know what you think.
So far, I've talked with:

• Lin Clark about the Microdata module
• Jeff Linwood about building native iPhone and Android apps with Drupal. *See below about a FREE webinar with Jeff about PhoneGap.
• Jess about core office hours
• Mike Carper about front-end performance modules.
• Mike Carper about back-end performance modules.
• Khalid Baheyeldin about his consulting on Drupal performance.
• Khalid Baheyeldin about the User Points module.

Upcoming episodes will include:

• Tim Plunkett talking about the FullCalendar module.
• Larry Garfield about WSCCI
• Sascha Grossenbacher about the future of the User Points module
• And more...

FREE Live Webinar with Jeff Linwood about PhoneGap

If you are interested in attending a FREE live webinar with Jeff Linwood to learn more (and ask live questions) about building native iPhone and Android apps, sign up for the "Building Mobile Apps With Dupal" webinar notification list. This does not commit you to the event, it just enables you get updates as they come out. If you're not familiar with PhoneGap and how it integrates with Drupal, check out the podcast episode I did with Jeff.

ThinkShout is proud to announce that we are facilitating the first ever Drupal Day for Nonprofit IT Professionals event at this year's Nonprofit Technology Conference (NTC) April 3rd, 2012, at the Hilton Union Square in San Francisco.

The content of this full-day event will be geared toward IT decision-makers who either currently manage, or are considering, the Drupal content management system. With this focus, this event will be applicable to Drupal professional service providers specializing in the nonprofit sector, in-house nonprofit software developers, Drupal power-users, and executive nonprofit staff responsible for managing website and web application procurement and maintenance.

This event will not a training on “How to build a website with Drupal,” nor will it be a Drupal vendor or product spotlight. Rather, this is a hands-on opportunity for Drupal users in the NTEN community to:

• Increase dialog within the national community of Drupal professionals and IT decision-makers serving the nonprofit sector;
• Make connections between nonprofit IT professionals interested in different technical and process conversations that are active in the wider Drupal community;
• Expose the nonprofit IT community to the latest techniques, tools, and trends in Drupal development and site management; and,
• As one of the opening events at the NTC, start the conference off right!!!

If you happened to have attended the incredible Drupal Nonprofit Summit at the 2011 BADCamp, the format and structure of the event will be familiar:

• 9:30-10:00 am: An optional "Introduction to Drupal Terminology and concepts for IT professionals new to Drupal."
• 10-10:15 am: Full-group welcome, intros and agenda review.
• 10:15-10:45 am: Full-group "Making Connections" exercise.
• 10:45-11am: Break.
• 11-12 pm: Two 30-minute case studies with break-outs.
• 12-1 pm: Drupal BOF sessions during a working lunch.
• 1-1:05 pm: Quick introduction to the Drupal Association.
• 1:05-2:35 pm: Three 30-minute case studies with break-outs.
• 2:35-3:00 pm: Full-group wrap-up.

Get Involved

Of course, this event would not be possible without our hosts - the Nonprofit Technology Network. If you are not familiar with NTEN or the NTC, definitely check them out. Having attended the last 2 conferences, I can say with confidence that the NTC will be one of the best national tech gatherings of the year. We're also every excited to have the sponsorship and planning support of individuals such as Johanna Bates and organizational partners including Drupal Association, CivicActions, OpenSourcery, and Jackson River.

If you're interested in helping out with case studies or other planning/facilitation opportunities as part of the Drupal Day for Nonprofits, give us a shout! We're hoping that the event will pull together the leading minds in Drupal development for the nonprofit sector from around the country.

Tags: Drupal Planetnon-profit tech

Submitted on Wed, 02/08/2012 - 17:00

Outline:

• Originally developed for an art site in 2005, to give visitors an incentive to contribute (add their art, vote on other people’s art, comment, ...etc.
• Open sourced with some features disabled initially, then talked the client allowing all features to be contributed, and they agreed
• Evolved into a user incentive, ranking and virtual currency system
• Got more than one requests to port it to Joomla
• Used on one site to encourage recycling, with online points and offline points, e.g. you take an item to a depot and they credit your account.
• Jacob Redding, Executive Director of the Drupal Association was the D6 maintainer, for work he did for a New York non profit.
• Contributed modules:

We've now wrapped up the first Drupal Coworking Friday and it was a resounding success. We had an estimated 100 attendees worldwide across three countries and 10 cities. The good news is even more cities want to participate this month!

I'm writing this post as a quick update so the curious know how it went overall but ultimately I wanted to thank all of the attendees, hosts and sponsors. Without these three groups this event (well, the first of many events) would have never happened. A special thank you to the hosts and sponsors that took time out of their lives/busy days (as well as money) to make this a reality for the general Drupal public.

Start:  2012-02-21 16:00 - 17:00 America/New_York Online meeting (eg. IRC meeting) Organizers:  Jacine

Please join us for our 20th bi-weekly meeting to discuss issues and progress related to the Drupal 8 HTML5 initiative. The meeting will be held in #drupal-html5 in IRC at 4 PM EST.

Agenda

During the meeting, we will discuss the progress of the current sprint and schedule issues for the next sprint. Please post your proposed discussion topics in the comments if you have any.

Subscribe

You can subscribe to the Google Calendar for this and future meetings via the iCal or XML feeds.

IRC Meeting Log

Posted after meeting.

Drupal 8 Initiatives

The first-ever election for two at-large Board Members of the Drupal Association was just completed with the selection of Donna Benjamin (KatteKrab) of Australia and Steve Purkiss (stevepurkiss) of the United Kingdom. The two new board members were elected by members of the Drupal Community and then ratified today by the Drupal Association board. They join the current eight Board of Directors of the non-profit Drupal Association in helping to establish policy, hire and manage an executive director, review and approve the budget and financial reports, and participate in fundraising.

read more

If this is your first DrupalCon - welcome to the party! A great way to get yourself up to speed before the conference is to attend the Absolute Beginners Guide to Drupal training session on Monday March 19th.

The course is presented by Open Source Training and is a full-day course available at a discounted price of $350 if you have already registered for the conference.

This is the must-go-to training if you're brand new to Drupal. Whether you're a designer, a decision maker, a project manager or a website developer- this hands-on introduction to Drupal is an essential first step to DrupalCon.

Read more and register now while seats are still available!

Only a few weeks remain until the next DrupalCon, which will be held March 19-23 in beautiful downtown Denver, Colorado. DrupalCon is the international event that brings together the people who use, develop, design, and support the Drupal platform as well as other luminaries from the open source and Web development communities. The final program schedule was recently released, and includes several sessions from members of the Palantir team:

Drupal Media
Dave Reid and Advomatic’s Aaron Winborn will discuss the past, present, and future of the Media module, which provides a unified framework and interface for managing all kinds of media assets in Drupal 7 and beyond.

Practical Responsive Development in Drupal
John Albin Wilkins goes beyond the basics in this session, which explores different implementation techniques for responsive designs using CSS (or Sass/Compass) and various Drupal themes and modules.

Flexible, Fast, Friendly: Balancing Your Architecture
Larry Garfield will talk about how to understand and think about competing priorities and trade-offs when designing software architecture.

Lessons Learned: Open Source Contributions - A Case Study of Workbench
Since its public debut at last year’s DrupalCon Chicago, the Workbench suite of modules has rapidly become the go-to solution for user access and workflow management in Drupal 7. In this session, Colleen Carroll and Robin Barre will discuss the process of developing Workbench with a focus on business strategy, sustainability, and community involvement.

Making Drupal Core Mobile-Friendly
John Albin Wilkins will join Jeff Burnz of Adaptive Themes and Capgemini’s Lewis Nyman for a panel discussion on the work of the Drupal Mobile Initiative to make Drupal 8 truly “mobile-friendly”.

In addition to these sessions, a number of Palantir team members have submitted presentations for Core Conversations, the place where people actively working on Drupal or Drupal.org can meet and plan the future of Drupal.

We will also be presenting a brief session on Mobile Design Strategy as part of a series of lightning talks on the DrupalCon exhibit hall Day Stage. While you’re in the exhibit hall, don’t forget to stop by our booth (the easy-to-remember #111) and say hello!

And finally, on Friday, March 23, after all of the regular session programming is complete, a number of us will be leading sprints to help improve various parts of Drupal. Larry Garfield will be leading the Drupal 8 Web Services Initiative sprint, Dave Reid will be leading a sprint on the Media module, documentation, and improvements to Drupal core, and Steve Persch will be leading a sprint to improve collaboration between different Drupal modules for workflow.

If you haven’t registered yet for DrupalCon Denver, don’t delay! Tickets are only $350 until February 21 and only available while supplies last. Get yours today at http://denver2012.drupal.org/

A client that has a lot of physical locations asked me how to improve search engine optimization (SEO) for those locations. They have web pages for each of their locations and were concerned about making sure all those individual location pages are getting ranked well. This doesn't seem to be a very well documented subject, but I found a number of ways to make sure that Google and other search engines know more about the physical locations that are related to a web site.

Google, in particular, has been making locative information more important than ever. If Google has any information about where I am located (and it usually does), it will push results in my location to the top of the search results list for any term I search for. For instance, if I search for 'Coffee' into a normal Google search, I get results like this, even though I didn't add anything about my location in my search terms. This makes it clear that having accurate location information in my web site must be very important.

Background: By default the taxonomy_term view is available to generate views of the terms in given taxonomies. This view may be extended just like any other view to provide a lot more information, however with this customization you may find yourself wanting a different view for different taxonomies.  In our case we have a taxonomy of electronic journals and resources that needs to look vastly different from the historical collections where pictures and such are available.

TVI let's you pick your taxonomy term view from the taxonomy page

 

Our solution: Taxonomy Views Integrator allows you to choose which view to associate with which taxonomy through a very handy and intuitive drop down menu.  Since there are already too many redirects and such on our site in my opinion this is the way to go.  We cloned our default taxonomy term view and added some new filters… voila!  Then just go to /admin/content/taxonomy and in each vocabulary you may choose which view to use… taxonomy and views… integrated.. better than chocolate caramel lobster salad…

For the videophiles here’s your two minute walkthrough…

NB: There are several tools out there to accomplish this task:

Views Term Path Override: overrides the term path – more URL’s getting flung about, however it’s certainly viable

Taxonomy Redirect: Likewise, probably works, but just doesn’t seem quite as elegant or obvious – not certain which of our admins would remember to

probably a few other ways of doing this… thanks to deeporange1 and awebb for this handy mod

$50.00 Friday, February 24, 2012 Training Course(s):  Acquia's Drupal in a Day

This hands-on workshop will introduce you to the latest release of Drupal to get you started on how to build and administer a Drupal site: creating and managing content, granting user permissions, expanding your site's capabilities with key modules, and all the basics you’ll need to use this powerful content management system to build web sites without writing a line of code.

The workshop will be held at the UCF Executive Development Center at 36 West Pine Street, Orlando, FL and run from 9am until 5pm with a one-hour break for lunch.

$50.00

Start:  2012-02-18 09:00 - 18:00 Europe/Budapest Sprint Organizers:  Gábor Hojtsy

We are holding a one day sprint for people interested in working on solutions for the Drupal 8 Multilingual Initiative. The physical sprint is in Budapest, on Saturday, Feb 18th from 9am to 6pm local time (CET). Because most of you would not be able to make it in person, we'll also hang out in #drupal-i18n so if you want to join, feel free to do so then and there. Because this is a one day sprint only and people attending the sprint will be mostly new to Drupal 8 development (experienced in Drupal development in general though), we expect to work on lower hanging fruit tasks.

If you show up and want to help with more complex issues, just ask in the #drupal-i18n channel and we'll surely find something good for you!

Drupal 8 Initiatives

Start:  2012-02-15 17:00 - 18:00 UTC Online meeting (eg. IRC meeting) Organizers:  Gábor Hojtsy

It is that time again! We'll review current top priority tasks and discuss new ones to work on. No other specific special topics planned at the moment.

The meeting is in the #drupal-i18n channel on IRC. See http://drupal.org/irc for more information. The time above is marked with UTC - check in your own timezone.

Drupal 8 Initiatives

I am incredibly honored to have been selected to speak at the upcoming DrupalCon Denver on the topic of International NGOs Leveraging Drupal for Social Change. 

As part of the amazing support in the Drupal Community, all presenters have been requested to attend (or watch recordings of) webinars on how to give good presentations, led by Emma Jane Hogbin of Design to Theme.

Below is a summary of the two hour-long videos, which I initially intended as personal notes, but later realized others might find useful as well.

read more

Last year I officially went independent, turning Logrus into a boutique consulting shop specializing in the skills and knowledge I have to offer big players in the Drupal world. So far, things have gone fantastically well and it has allowed me to branch out a little more in the things I do, and has also helped fund several awesome projects that will benefit the community. Notably the Panelizer, Fieldable Panel Panes and ERS modules are completely funded by clients, as well as improvements to Panels such as the pane locking features.

BlogDrupal · DrupalCon