SECURE LOGIN MODULE
-------------------

Secure Login module enables secure logins by submitting the login form
to a secure HTTPS URL.  The module can also do the same for the user
edit, user registration, and other forms, so that passwords and other
user data are never sent in cleartext.

In both Drupal 7 and Drupal 8, logging in via HTTPS automatically
generates an HTTPS-only secure session[1], which prevents session
cookies from being sent in cleartext.

INSTALLATION
------------

See INSTALL.txt for instructions on how to install and uninstall the
module.

Before enabling the module, you need to set up your server to support
SSL.  The result should be that if you Drupal site lives at
http://host.domain/dir, it should also be accessible at
https://host.domain/dir (the secure base URL).  If you use a different
URL for the secure site, you must make sure that cookies coming from
host.domain can be sent to otherhost.domain.  You can change the cookie
domain in settings.php.

CONFIGURATION
-------------

At admin/config/people/securelogin you can set which forms (login,
registration, node, comment, contact, webform, etc.) are secured by this
module.  By securing all forms that indicate they "must be checked to
enforce secure authenticated sessions," you can ensure that logins are
in fact "secure": all authenticated sessions will use HTTPS-only secure
session cookies which are immune to session hijacking by eavesdroppers.

UPGRADING FROM DRUPAL 7
-----------------------

Your Secure Login settings should be correctly migrated from Drupal 7 to
Drupal 8... but this is not yet working.

DEVELOPER API
-------------

As with the Drupal 7 version of Secure Login module, developers may use
$form['#https'] = TRUE to indicate that a form should be secured by
Secure Login module, and $options['https'] = TRUE to indicate that an
HTTPS URL should be generated.

Additionally, this module provides two API functions for developers:

\Drupal::service('securelogin.manager')->secureForm($form) may be called
on a form to either redirect the current request to the secure base URL
or to submit the form to the secure base URL, depending on Secure Login
configuration.

\Drupal::service('securelogin.manager')->secureRedirect() may be called
to redirect the current request to the equivalent path on the secure
base URL.

[1] https://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
[2] https://en.wikipedia.org/wiki/Session_hijacking
