nate_02631 Posted July 18, 2004 Share Posted July 18, 2004 Ez Secure Order & Customer Viewing for osCommerce This contribution addresses an issue with the store admin to allow secure viewing and editing of order and customer details while allowing the rest of the admin to remain in standard mode -- alleviating uneccessary strain on the SSL server and allowing generally quicker operation of nonSSL admin functions. It involves adding two simple lines to the admin config file and slightly altering the tep_href_link function of the admin's includes/html_output.php file. It has been tested with MS 2.2 but will likely work on older versions as well. In the admin/includes/config.php file add the following two lines: define('HTTPS_SERVER', 'https://your-secure-server.com'); // secure webserver for admin define('ENABLE_SSL', 'true'); // enable SSL for customers/orders viewing Altering the server value to the name of your secure server. In general, it is the same as the HTTPS_CATALOG_SERVER value. Then find the tep_href_link function in the admin/includes/functions/html_output.php Change if ($connection == 'NONSSL') { to: if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS && $page != FILENAME_ORDERS && $page != FILENAME_ORDERS_PACKINGSLIP && $page != FILENAME_ORDERS_INVOICE) ) { and change the following } elseif ($connection == 'SSL') { to: } elseif ($connection == 'SSL' || ($page == FILENAME_CUSTOMERS || $page == FILENAME_ORDERS || $page == FILENAME_ORDERS_PACKINGSLIP || $page == FILENAME_ORDERS_INVOICE) ) { Thats it! Now when you are in the orders or customer sections of your admin, your server will switch to secure mode. Post any questions or comments below. Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
rerbe Posted July 19, 2004 Share Posted July 19, 2004 Nice One!!!! I have been looking for a solution to thisone myself and have asked the question in these forums several times before, and not being a PHP guru this was a problem. Thanks for the info... Richard E Quote The solution is never too far away ... Link to comment Share on other sites More sharing options...
talon177 Posted July 21, 2004 Share Posted July 21, 2004 (edited) Works great! Edited July 21, 2004 by talon177 Quote Link to comment Share on other sites More sharing options...
iantates Posted July 21, 2004 Share Posted July 21, 2004 I have just carried out the changes but it isn't swapping over to the secure server! Guess it is something I have done1 I have checked and double checked code and it is as stated. Any ideas? Quote Link to comment Share on other sites More sharing options...
iantates Posted July 21, 2004 Share Posted July 21, 2004 Fixed! For some reason FTP would not overwrite config file so it wasn't updating. Had to rename then upload new version. Great contribution. Quote Link to comment Share on other sites More sharing options...
tygrr Posted July 26, 2004 Share Posted July 26, 2004 HI! This might be just what I'm looking for! Was wondering if it also secures the payment module account information, as well as shipping account username/password info if i used usps? Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted July 27, 2004 Author Share Posted July 27, 2004 No, but you can auto-secure any specific admin files by adding them to the $page equals (and not equals) FILENAME_BLAH comparos... Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
Hellmaker Posted August 12, 2004 Share Posted August 12, 2004 Hi I was just testing this ssl contribution, and it doesnt work for me. It doesnt switch to ssl... Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted August 12, 2004 Author Share Posted August 12, 2004 Make sure you have your USE_SSL config options set to true, and the appropriate SSL servers specified... Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
akkinmore Posted August 21, 2004 Share Posted August 21, 2004 Hi Will it work on shared SSL. I have installed as according to your instruction but the browser say "The Page cannot be displayed". When I click the customer, the browser was re-direct to https://63.220.81.11/~ovxssl/ocx/admin/cust...d_box=customers and the page cannot be displayed. Any idea why? Thanks Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted August 21, 2004 Author Share Posted August 21, 2004 This contrib has nothing to do with your SSL *setup* per se... You must set your store's configuration to the correct values for your network. If you are pointing your admin's SSL to the correct place in configuration.php and make the other small change outlined, then the mod will enter SSL for just the parts of your admin specified. Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
akkinmore Posted August 22, 2004 Share Posted August 22, 2004 Hi Nate, I have installed the system in the following: 1. The main code is under the category directory. 2. My admin uses a sub-domain called admin.mydomain.com under the admin directory. Here are the config under config.php: // define our webserver variables // FS = Filesystem (physical) // WS = Webserver (virtual) define('HTTP_SERVER', 'http://admin.mydomain.com'); define('HTTPS_SERVER', 'https://secure-net/~username/admin'); // secure webserver for admin define('ENABLE_SSL', 'true'); // enable SSL for customers/orders viewing define('HTTP_CATALOG_SERVER', 'http://mydomain.com'); define('HTTPS_CATALOG_SERVER', 'https://secure-net/~username'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', '/home/username/public_html/category/'); // where the pages are located on the server define('DIR_WS_ADMIN', '/'); // absolute path required define('DIR_FS_ADMIN', '/home/username/public_html/admin/'); // absolute pate required define('DIR_WS_CATALOG', '/category/'); // absolute path required define('DIR_FS_CATALOG', '/home/username/public_html/category/'); // absolute path required I am not sure what went wrong. When the re-direct occurs, the pop-up sercure warning appears twice and I have to click OK twice to proceed. The no such page message appear??? Please point me to the right direction. Thanks. :rolleyes: Quote Link to comment Share on other sites More sharing options...
deroguy Posted September 3, 2004 Share Posted September 3, 2004 Thanks Nate. Priceless Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted September 3, 2004 Author Share Posted September 3, 2004 Glad (most) everyone has it working... thanks for the kudos, all! akkinmore, sorry didn't get an email notification on your forum reply... It seems as though this is an issue with your SSL setup.... You should enter your admin in non-secure mode via the browser... And if you have a redirect to another secure URL, that will also make the SSL notice pop-up... Not an issue with this mod, per se. Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
BlackOps Posted September 30, 2004 Share Posted September 30, 2004 I just installed this contribution, and it works fine. It's a very straight-forward solution to a real problem. I have made the following modification to html_output.php, so you can arbitrarily add other files that use SSL, without having to modify the list in multiple places. catalog/admin/includes/functions/html_output.php: Instead of adding the following to each if statement: ($page != FILENAME_CUSTOMERS && $page != FILENAME_ORDERS && $page != FILENAME_ORDERS_PACKINGSLIP && $page != FILENAME_ORDERS_INVOICE) or ($page == FILENAME_CUSTOMERS || $page == FILENAME_ORDERS || $page == FILENAME_ORDERS_PACKINGSLIP || $page == FILENAME_ORDERS_INVOICE) I created an array at the top of the file: // Define array of pages that require SSL // Modification of EZ Secure Contrib // 20040929 - BlackOps $force_ssl_list = array( FILENAME_CUSTOMERS, FILENAME_ORDERS, FILENAME_ORDERS_PACKINGSLIP, FILENAME_ORDERS_INVOICE, FILENAME_CREATE_ACCOUNT, FILENAME_CREATE_ACCOUNT_PROCESS, FILENAME_CREATE_ACCOUNT_SUCCESS, FILENAME_CREATE_ORDER_PROCESS, FILENAME_CREATE_ORDER, FILENAME_EDIT_ORDERS ); Then added the following line to the top of the function tep_href_link: global $force_ssl_list; Then, in the if statements, I added the following: !in_array($page, $force_ssl_list) or in_array($page, $force_ssl_list) So, the final if statements should look like: if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) { and elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) { Now, you may add any number of pages to the $force_ssl_list array, and each page in the array will use SSL. The reason I created the array outside of the scope of the function, is that I can forsee wanting access to that lis of pages in another function. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 25, 2004 Share Posted October 25, 2004 Is there any reason for not making the entire admin section SSL? I have my sites setup to force the admin site to use SSL, regardless of the page. However, I do not recommend Forced SSL for those using dialup to access their server. Specifically if you are managing products. I think your approach is good, nonetheless. Great Job. Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted October 25, 2004 Author Share Posted October 25, 2004 Is there any reason for not making the entire admin section SSL? Yep, mostly for the reasons stated in the original post "alleviating uneccessary strain on the SSL server and allowing generally quicker operation of nonSSL admin functions." The speed difference wouldn't be much different on a dialup (save for downloading pages) as all the SSL processing would be done at the server... So it's really about saving server cycles.... Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
Alan Posted November 3, 2004 Share Posted November 3, 2004 I got EZ Secure Order to work as it should with ms2 'Out of the box'. I have been trying to get this to work with this contribution:- Administration Access Levels Acounts 2 I have added the following to admin/includes.config.php define('HTTPS_SERVER', 'https://my_secure_server'); define('ENABLE_SSL', 'true'); and the following to admin/includes/functions/html if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS) ){ and elseif ($connection =='SSL' || ($page ==FILENAME_CUSTOMERS) ) { as per the instructions in the contribution. The result I am getting is that when I go to www.mywebsite.co.uk/admin it takes me to the login screen as expected via the ssl server ie https:// which is not what I expected. Once I login I can browse the admin pages non SSL ie http:// as I would expect. When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page. What I am trying to achieve is https:// access to the login screen (so that username and password are protected), http:// access to most of the admin pages since these are not necessarily confidential but https:// access to protect customer datails on the 'customer', 'order' etc pages. Has anyone achieved this? Alan Quote Alan Link to comment Share on other sites More sharing options...
secretuser Posted March 14, 2005 Share Posted March 14, 2005 (edited) I got EZ Secure Order to work as it should with ms2 'Out of the box'.? I have been trying to get this to work with this contribution:- Administration Access Levels Acounts 2 I have added the following to admin/includes.config.php define('HTTPS_SERVER', 'https://my_secure_server'); define('ENABLE_SSL', 'true'); and the following to admin/includes/functions/html if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS) ){ and elseif ($connection =='SSL' || ($page ==FILENAME_CUSTOMERS) ) { as per the instructions in the contribution. The result I am getting is that when I go to www.mywebsite.co.uk/admin it takes me to the login screen as expected via the ssl server ie https:// which is not what I expected.? Once I login I can browse the admin pages non SSL ie http:// as I would expect.? When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page. What I am trying to achieve is https://? access to the login screen (so that username and password are protected), http:// access to most of the admin pages since these are not necessarily confidential but https:// access to protect? customer datails on the 'customer', 'order' etc pages. Has anyone achieved this? Alan <{POST_SNAPBACK}> I have been having the same darn problem :( . This contribution worked great, even with the Admin Access contribution, but starting in December, it stopped working and I kept getting sent back to the login page. No matter how many times I relog in, I kept getting sent right back to login when trying to view the customer section. Edited March 14, 2005 by secretuser Quote Link to comment Share on other sites More sharing options...
jadah Posted June 8, 2005 Share Posted June 8, 2005 Hi I add your contribution , and it works great, but I am having a little trouble, cause my site was configure to use ssl in every module, and when i added your contribution, I stopped entering my admin site , and the index file in the catalog/admin/index.php is giving me errors and is not letting me in, so I cant use admin module to fix my site, or add products. Thanks, Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted June 9, 2005 Author Share Posted June 9, 2005 Sorry, I don't follow. Providing specific error messages would be helpful... Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
patrick77550 Posted July 26, 2005 Share Posted July 26, 2005 Tony, Excellent structural approach! Now when I complete my workoder for our shop floor it's a piece of cake to add it to the list. Patrick Quote Link to comment Share on other sites More sharing options...
opalmirror Posted February 20, 2006 Share Posted February 20, 2006 I got EZ Secure Order to work as it should with ms2 'Out of the box'. I have been trying to get this to work with this contribution:- Administration Access Levels Acounts 2 When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page. I observed the same problem with the Administration Access Levels Accounts 2. I borrowed BlackOps' technique (below) for using an array, and since there was no preexisting admin/includes/config.php on my system (and since it didn't seem to have any affect), I placed all modifications in admin/includes/functions/html_output.php itself. First near the top: $force_ssl_list = array( FILENAME_CUSTOMERS, FILENAME_ORDERS, FILENAME_ORDERS_PACKINGSLIP, FILENAME_ORDERS_INVOICE, FILENAME_CREATE_ACCOUNT, FILENAME_CREATE_ACCOUNT_PROCESS, FILENAME_CREATE_ACCOUNT_SUCCESS, FILENAME_CREATE_ORDER_PROCESS, FILENAME_CREATE_ORDER, FILENAME_EDIT_ORDERS, FILENAME_LOGIN, FILENAME_STATS_CUSTOMERS ); define('ENABLE_SSL', true); define('HTTPS_SERVER', 'https://metolius.loowit.net'); Note this makes the login and customers stats pages also SSL-only. Then later in the file at the top of tep_href_link: global $force_ssl_list; and I replace: if ($connection == 'NONSSL') { with: if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) { and I replace: } elseif ($connection == 'SSL') { with: } elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) { Now all works well... James Quote Link to comment Share on other sites More sharing options...
basnyd Posted April 26, 2006 Share Posted April 26, 2006 I've used this contribution before and have had no issues, however this time has proved more challenging. I'm made the updates to the configure.php file. I then updated output_html.php file. When I change the output_html.php my whole admin area stops working and I see the following error: Fatal error: Call to undefined function: tep_image() in /home/shopjuda/public_html/catalog/admin/includes/header.php on line 19 If I remove the two changed lines in output_html.php I can then acess the admin area again. The customer/order is never protected by SSL. Any ideas of what might be wrong? Thanks for the assistance. Barb Quote Link to comment Share on other sites More sharing options...
nate_02631 Posted April 26, 2006 Author Share Posted April 26, 2006 Yep, probably just a syntax error when pasting in the stuff... look carefully that you aren't dropping a semi-colon, parenthisis, etc... Quote ** Please do not PM with personal support requests (even if offering "payment"). Thank you. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.