Jump to content

* * * * * 1 votes

Force SSL on login.php, create_account.php & any page via .htaccess

force ssl htaccess

This topic has been archived. This means that you cannot reply to this topic.
4 replies to this topic

#1   dr_lucas

  • Members
  • 331 posts

Posted 14 March 2014 - 06:45

I was browsing a few threads here today, all said it's not possible to force SSL on specific page via .htaccess
Was trying to respond, but unfortunately the topic are archived and no longer accept responses (why archived? even a topic from 2011!?)
Anyway, it is possible to do that via .htaccess, just add these lines to the very bottom of your catalog/.htaccess and always be sure to leave at least 1 blank line at the end of the .htaccess file:

# Force SSL on specific pages
<IfModule mod_rewrite.c>
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/(login\.php|create_account\.php|checkout_shipping\.php|checkout_payment\.php|checkout_confirmation\.php)
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [L]

Edited by dr_lucas, 14 March 2014 - 06:46.

#2   14steve14

  • Members
  • 4,385 posts

Posted 14 March 2014 - 09:28

I thought that a correctly set up oscommerce cart used https on those pages if you had a ssl certificate and set up both of the configure files correctly. May be I was wrong and this is needed, but I don't think I am.



Find information about the bootstrap community version here


Make it idiot proof and someone will make a better idiot.

#3   dr_lucas

  • Members
  • 331 posts

Posted 14 March 2014 - 10:19

While this may be the case, many stores are configured differently, have templates with hard coded http (instead of https) links, etc.
Also some people, for any reason, may try to or be able to manually remove the https from the URL and connect to certain pages via http instead.
Using this method, you ensure that this will no longer be possible. Besides, the code is easily modifiable to include or exclude from forcing-SSL any page the store admin wants by changing:

RewriteCond %{REQUEST_URI} ^/(login\.php|create_account\.php|checkout_shipping\.php|checkout_payment\.php|checkout_confirmation\.php)

For example, to

RewriteCond %{REQUEST_URI} ^/(advanced_search_results\.php) # Will force SSL on advanced_search.results.php

Edited by dr_lucas, 14 March 2014 - 10:19.

#4   T. Thomas

T. Thomas
  • Members
  • 23 posts

Posted 15 March 2014 - 02:45

It is possible to force SSL on all pages (which would be best) just configure it in your configure.php files

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTPS_SERVER', 'https://yoursite.com');
define('ENABLE_SSL', true);

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTP_CATALOG_SERVER', 'https://yoursite.com');
define('HTTPS_CATALOG_SERVER', 'https://yoursite.com');
define('ENABLE_SSL_CATALOG', true);

The important part of this code is the 'https://yoursite.com' for HTTP_SERVER not just the HTTPS_SERVER. This forces HTTPS even when the user types in a plan http address or the link is hard coded.

#5 ONLINE   Jack_mcs

  • Members
  • 28,389 posts

Posted 15 March 2014 - 03:02

@14steve14 This fix has been around for a while. It is considered a security error because the url will work in non-ssl mode, which means the data entered would not be encrypted. I don't think anyone would deliberately change the url but purchased templates are notorious for adding links to those pages that do not use ssl.

@T. Thomas That will work but is a bad idea. The reasons have been stated a number of times in various threads here on the forums if you want to look those up.