How to Protect RSS Feeds in Drupal

If you reserve part of your site for authenticated users, members, or even more selected groups, and even if you don't, you'll soon find out about a problem with RSS feeds: feeds that are available only when the user is logged in, will obviously not be available when she's not. Nevertheless, she will set her feed reader to access the feed...

Depending on the exact situation, this may work sometimes, but usually the reader will get the 403 (access denied) page, and Drupal will insert an access denied message into the Drupal log. I can tell you from experience that many people leave their computer on for 24 hours a day, and if your site is successful, you'll soon have lots of client computers generating access denied errors day in and day out, and your Drupal log will become inundated with useless error messages.

Secure Site Saves the Day

The primary purpose of Secure Site (securesite) is to secure an entire Drupal site behind HTTP authorization, but securesite can be more selective:

Enable securesite with web browser HTTP-AUTH security (so far I haven't had a need for the additional browser logout workaround) and set it to bypass every page except the listed pages:


Those readers that would only get an "access denied" message, will now fail at the HTTP login authorization, and they'll never again get a chance to pollute your log file. Note that even if you don't restrict access to your site, personal feeds under user still require the reader to be logged in.

Unfortunately, — you knew it wouldn't be that easy, didn't you? — securesite changes the logout behavior for all users in an unacceptable way: when the unsuspecting user (who has logged in through the Drupal login box and has never seen the HTTP authorization dialog on your site), when this unsuspecting user clicks on the Log Out link, securesite will pop up the HTTP authorization dialog!

The maintainer of securesite has told me that if a user has logged in through HTTPAUTH, then he needs to get this dialog to ensure that the browser drops the login credentials. However, since I don't want my users to ever log in interactively through securesite, I don't need them to get logged out reliably either. The following fix does this:

  1. Copy modules/securesite/dialog.tpl.php to themes/your_theme/securesite-dialog.tpl.php
  2. Insert the following code at the top of the file:
    if ( drupal_get_destination() == 'destination=logout' ) {
      header( 'Location: http://' . $_SERVER['HTTP_HOST'] . '/' ) ;
  3. Be sure that the character that used to be the first character in the file immediately follows the closing angle bracket of "?>" on the same line with no intervening space!

This will keep the dialog from being displayed — please be sure to understand the consequence explained above.

Don't forget!

... to give the access site permission to your authorized users, otherwise no one will be able to access the site!

Oh, and you'll probably want to clear the entry field under Message for Request Password Reset form to keep securesite from showing up unexpectedly in other places.