Skip to content

Latest commit

 

History

History
51 lines (36 loc) · 2.13 KB

README.md

File metadata and controls

51 lines (36 loc) · 2.13 KB

Heartbleed

This module was developed in response to the Heartbleed bug in OpenSSL.

The problem Heartbleed module solves is this: I have patched my site against the Heartbleed vulnerability, and I want my Drupal site users to reset their passwords. There's no indication Heartbleed was used against my site, but out of an abundance of caution I want to reset all of my users' passwords to ensure their protection.

Here's the user experience for an authenticated user on example.com after Heartbleed module is installed:

  • (I remember my password.) Next time I log into example.com, I'm immediately logged out and redirected to example.com/user/heartbleed. Here I see a note informing me about Heartbleed and instructing me to enter my email address to request a password reset link be sent to my email.
  • (I forgot my password.) Nothing changes. When I go to example.com to log in, I request a login link to be sent to my email. When I use it to reset my password, Heartbleed checks me off the list of users who need to reset their passwords. I may never know about or worry about Heartbleed impacting me on example.com.

Here are some sites with information about the Heartbleed bug in OpenSSL:

Install & Configure

  1. Download Heartbleed module.

  2. Drop it in your Drupal site's sites/all/modules directory.

  3. Enable Heartbleed module here:

    admin/build/modules (Drupal 6)
    admin/modules       (Drupal 7)
    
  4. Customize Heartbleed settings here:

    admin/user/heartbleed          (Drupal 6)
    admin/config/people/heartbleed (Drupal 7)
    

    Password reset date: All users created before the reset date will be required to change their password once after the reset date. (If you change the date after the module is enabled, password resets that happened before the new date won't count. Users will have to reset their passwords again.)

    Heartbleed message: Customize the message displayed to your users about why they are being required to reset their passwords.