Page 1 of 1
Require SSL for all connections
Posted: Thu Apr 15, 2010 10:10 am
by richcon
Is there a way to require SSL for all connections, not just "sensitive" ones?
As in, the moment someone visits any page on the store I want them to be redirected to https.
Thanks,
Richard
Re: Require SSL for all connections
Posted: Thu Apr 15, 2010 10:21 am
by richcon
I came up with a hack to do it, but it required modifying the core OpenCart code to make it work.
1. Added the following to config.php:
Code: Select all
// Require HTTPS for ALL connections
if($_SERVER["HTTPS"] != "on") {
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
exit();
}
2. Changed the following line in the root-level index.php:
Code: Select all
define('HTTPS_SERVER', 'https://' . substr($config->get('config_url'), 7));
to:
Code: Select all
$config_url = $config->get('config_url');
define('HTTPS_SERVER', ($config_url{4} == 's' ? $config_url : 'https://' . substr($config_url, 7)));
3. Set the site URL in the control panel to the https:// url.
Is there a better way to do this?
Re: Require SSL for all connections
Posted: Thu Apr 15, 2010 10:37 am
by rph
Why do people keep requesting this? What's the logic to running publicly accessible areas in secure mode?
Re: Require SSL for all connections
Posted: Thu Apr 15, 2010 10:51 am
by Qphoria
There are 2 types of people in the world
Those that want:
- Meta Keywords
- https for all pages
- SEO for their admin pages
- Customer Salutations
- Customer Birthdays
And then there are the normals
Re: Require SSL for all connections
Posted: Thu Apr 15, 2010 10:32 pm
by rph
If a store doesn't acknowledge my birthday they obviously don't deserve my business.
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 4:52 am
by richcon
Not to feed the trolls, but...
That's a pretty snarky response to my question (especially one that I spent the time coding a workable workaround for).
If you don't want https, fine. Doesn't make those who do any less "normal." Since the "normal" method is to buy some software or use an online service rather than coding up open source and sharing it with the world, I wouldn't put too much stock in normality.
By the way, meta keywords and birthday greetings sound like cool features too. They should be doable with modules without changing the core store code though, right? But it doesn't sound abnormal to ask for them.
Rich
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 4:57 am
by Qphoria
I'm working on dynamic customer fields and required states so that you can get as many customer fields as you like. Not sure if it will make 1.4.8 as there are dependencies that need to be handled on the order side as well. But I'll have more on that when I get it working. Then you can add fields ad nauseum to the account create form
"maiden name"
"height"
"endowment"
etc
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 4:59 am
by richcon
rph wrote:Why do people keep requesting this? What's the logic to running publicly accessible areas in secure mode?
Keeps the entire shopping cart encrypted. Mine doesn't deal with sensitive products, but there are still reasons to encrypt an entire session. The current method hides your password and credit card numbers, but still allows eavesdroppers to see your login names and what you're buying. If you do deal with sensitive, personal, or health-related products, 100% encryption is even more critical.
SSL encryption is very fast and scalable. If you're not worried about HTTP caching (which is disabled for https connections), there is really no reason *not* to have an encrypted connection.
Simplifies cookie management. Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 5:14 am
by Qphoria
richcon wrote:
Simplifies cookie management. Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
This is the only reason I would deem acceptable IMHO
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 6:02 am
by rph
richcon wrote:The current method hides your password and credit card numbers, but still allows eavesdroppers to see your login names
Not anywhere that I'm aware of.
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 11:52 am
by GhostHunt
I think there should be an easy way to turn on SSL for the entire site via
the admin user interface.
Re: Require SSL for all connections
Posted: Sat Apr 17, 2010 12:06 pm
by GhostHunt
I have a question on this
Some web hosts have trouble sharing cookies between the http and https connections. That can cause things like your shopping cart to disappear when you go to pay for it.
How can I tell which web hosts have this problem? "sharing cookies"?
Is there some key indicators I can look at?
Re: Require SSL for all connections
Posted: Tue Jun 22, 2010 6:28 am
by cakers911
richcon, is there a way to apply the same solution for forcing SSL on all connections so that it will force the same for the administration login and backend area of the store? I keep having problems with my PCI certification because it shows this as an unencrypted form.
Thanks,
Chris
Re: Require SSL for all connections
Posted: Sat Jul 10, 2010 4:12 pm
by richcon
cakers911:
Don't know, but I think I saw the release notes for the most recent version of OpenCart showing a fix for that. In my opinion, there's really no reason for the admin panel to ever be unencrypted. Everything there should be considered sensitive.
(I'm currently running it on a private dev server, I'll tackle that part when my site gets closer to launching on the production one. The site that originally needed all encrypted connections was a different one that I'm not managing anymore.)