Is there a way to require SSL for all connections, not just "sensitive" ones?
As in, the moment someone visits any page on the store I want them to be redirected to https.
Thanks,
Richard
I came up with a hack to do it, but it required modifying the core OpenCart code to make it work.
1. Added the following to config.php:
2. Changed the following line in the root-level index.php:
to:
(This allows the site URL provided in the control panel to be an https:// url.)
3. Set the site URL in the control panel to the https:// url.
Is there a better way to do this?
1. Added the following to config.php:
Code: Select all
// Require HTTPS for ALL connections
if($_SERVER["HTTPS"] != "on") {
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
exit();
}Code: Select all
define('HTTPS_SERVER', 'https://' . substr($config->get('config_url'), 7));Code: Select all
$config_url = $config->get('config_url');
define('HTTPS_SERVER', ($config_url{4} == 's' ? $config_url : 'https://' . substr($config_url, 7)));3. Set the site URL in the control panel to the https:// url.
Is there a better way to do this?
Not to feed the trolls, but...
That's a pretty snarky response to my question (especially one that I spent the time coding a workable workaround for).
If you don't want https, fine. Doesn't make those who do any less "normal." Since the "normal" method is to buy some software or use an online service rather than coding up open source and sharing it with the world, I wouldn't put too much stock in normality.
By the way, meta keywords and birthday greetings sound like cool features too. They should be doable with modules without changing the core store code though, right? But it doesn't sound abnormal to ask for them.
Rich
That's a pretty snarky response to my question (especially one that I spent the time coding a workable workaround for).
If you don't want https, fine. Doesn't make those who do any less "normal." Since the "normal" method is to buy some software or use an online service rather than coding up open source and sharing it with the world, I wouldn't put too much stock in normality.
By the way, meta keywords and birthday greetings sound like cool features too. They should be doable with modules without changing the core store code though, right? But it doesn't sound abnormal to ask for them.
Rich
Last edited by richcon on Sat Apr 17, 2010 5:13 am, edited 1 time in total.
I'm working on dynamic customer fields and required states so that you can get as many customer fields as you like. Not sure if it will make 1.4.8 as there are dependencies that need to be handled on the order side as well. But I'll have more on that when I get it working. Then you can add fields ad nauseum to the account create form
"maiden name"
"height"
"endowment"
etc
"maiden name"
"height"
"endowment"
etc
Keeps the entire shopping cart encrypted. Mine doesn't deal with sensitive products, but there are still reasons to encrypt an entire session. The current method hides your password and credit card numbers, but still allows eavesdroppers to see your login names and what you're buying. If you do deal with sensitive, personal, or health-related products, 100% encryption is even more critical.rph wrote:Why do people keep requesting this? What's the logic to running publicly accessible areas in secure mode?
SSL encryption is very fast and scalable. If you're not worried about HTTP caching (which is disabled for https connections), there is really no reason *not* to have an encrypted connection.
Simplifies cookie management. Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
Last edited by richcon on Sat Apr 17, 2010 5:14 am, edited 1 time in total.
This is the only reason I would deem acceptable IMHOrichcon wrote: Simplifies cookie management. Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
I have a question on this
Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
How can I tell which web hosts have this problem? "sharing cookies"?
Is there some key indicators I can look at?
Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
How can I tell which web hosts have this problem? "sharing cookies"?
Is there some key indicators I can look at?
richcon, is there a way to apply the same solution for forcing SSL on all connections so that it will force the same for the administration login and backend area of the store? I keep having problems with my PCI certification because it shows this as an unencrypted form.
Thanks,
Chris
Thanks,
Chris
cakers911:
Don't know, but I think I saw the release notes for the most recent version of OpenCart showing a fix for that. In my opinion, there's really no reason for the admin panel to ever be unencrypted. Everything there should be considered sensitive.
(I'm currently running it on a private dev server, I'll tackle that part when my site gets closer to launching on the production one. The site that originally needed all encrypted connections was a different one that I'm not managing anymore.)
Don't know, but I think I saw the release notes for the most recent version of OpenCart showing a fix for that. In my opinion, there's really no reason for the admin panel to ever be unencrypted. Everything there should be considered sensitive.
(I'm currently running it on a private dev server, I'll tackle that part when my site gets closer to launching on the production one. The site that originally needed all encrypted connections was a different one that I'm not managing anymore.)
Who is online
Users browsing this forum: No registered users and 66 guests
