You used to be able to use your Drupal login at any Drupal site that turn on the drupal.module. It was a convenient and useful feature but has been removed from Drupal 6. But you can get it back.

The module suffers from a few maladies the least of which is the unlikely name. After you get over the inappropriate name the next thing that servered to frustrate is the fact that the module was proietory and cntered around the drupal.org website. Lastly, the module and its code proved to be a security risk. With no interest in refactoring or revising the thinking around the code the module was finally removed from the core with the release of Drupal 6. Although over the years many have complained about the failing of the module no one has given it any real updating.

In the next few paragraphs I am going to play detective a show why this module was removed. I will follow it up with some of the reasons that if you are using this module, plan on using this module or are dependant on it in any way, you may be putting your websites at risk.

The problem

The drupal module does two things; it implements distributed authentication and it lets you run a "directory server". These sound great in the features list, but the implementation of both features is weak and poses the real risk of exposing Drupal users to identity theft.

The reason behind the problem

The core 'drupal' module is useful, but too hard-coded to drupal.org. It is designed to enable some basic linking and exchange between a central site and associated sites, and could be used, e.g., in a network or multi-office organization where there is a need to pool certain data. But on the surface it looks like it's just a way to get listed on drupal.org.

We should rename the module to something like "network", and change the help messages etc. so that drupal.org is only an example. This would help generecize this module and move towards broader usability.

Holding on to the problem

Based on discussions on the development mailing list (about privacy issues and data collection concerns) as well as http://drupal.org/node/66241#comment-311021 and http://drupal.org/node/66241#comment-311037 we are moving drupal.module to the contributions repository. What needs to be done:

- a maintainer should step up
- a new project name should be decided on (ie. the module should not retain the Drupal name)
- the current drupal.module code should be committed to that project
- drupal.module should be removed from Drupal 6

Once this is done, this issue can be marked fixed. And the new module should

- provide an upgrade path, so users authenticated previously by drupal.module still get their authentication from the new module properly
- any other outstanding issues for drupal.module should be moved over to this new module

The deciding point

Let your users to use their username and password from other Drupal sites.

It is the old "Drupal" module which just left core.
Use cases

• Let drupal.org users to login into your site using their old login/password.
• Alternative for OpenID.
• Multi site environment: split your site functionalities into many sites but use a central user database. Like drupal.org and groups.drupal.org.

Known Issues

Since its yet a simple port from Drupal 5's "Drupal" module, it yet have some important issues (present on the old module too):

* No user data is get from the server (email for example). see http://drupal.org/node/61738
* Password is sent without cryptography. see http://drupal.org/node/93048
* The password insertion is done in the site's domain, so they might (but not by this module) capture your password

Security risks from xmlrpc

In the past many security flaws in the module were due to the use of old PHP code. Though the code was updated and the main holes plugged there was never any thourough testing an refactoring done from version to version. Although at this point in time there is a an opportunity for those using the old versions of the Drupal module to uppgrade this may not be something that is smart. So having this module classified as a contribution is probably the best thing that could have happened. No someone can get going making improvements without having to go through the politics of having the module in the core system.

OpenID?

The decision to go wholly with OpenID and to retire the drupal module was probably a good one. But it leaves a gap that needs to be filled. One of the real selling points for using Drupal has been the abillity to set single sign on into a group of communities located on different servers. Without this feature in Drupal 6 and follow up versions there will be a group of users forced to stick with the older version of the CMS. Though this may not seem very important it goes to the point of reputation. It is hard to get a reputation for having secure software if there hundreds of users out there holding on to flawed versions out of pure need.

Take note of this url because the module is no longer listed even though there is a project page for it.

Site Network Module

Happy Publishing!

Join Hiveminds and link to your website or blog.