Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] EZ Secure Order & Customer Viewing


Recommended Posts

Ez Secure Order & Customer Viewing for osCommerce

 

This contribution addresses an issue with the store admin to allow secure viewing and editing of order and customer details while allowing the rest of the admin to remain in standard mode -- alleviating uneccessary strain on the SSL server and allowing generally quicker operation of nonSSL admin functions.

 

It involves adding two simple lines to the admin config file and slightly altering the tep_href_link function of the admin's includes/html_output.php file. It has been tested with MS 2.2 but will likely work on older versions as well.

 

In the admin/includes/config.php file add the following two lines:

define('HTTPS_SERVER', 'https://your-secure-server.com'); // secure webserver for admin
define('ENABLE_SSL', 'true');	// enable SSL for customers/orders viewing

Altering the server value to the name of your secure server. In general, it is the same as the HTTPS_CATALOG_SERVER value.

 

Then find the tep_href_link function in the admin/includes/functions/html_output.php

 

Change

if ($connection == 'NONSSL') {

to:

if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS && $page != FILENAME_ORDERS  && $page != FILENAME_ORDERS_PACKINGSLIP  && $page != FILENAME_ORDERS_INVOICE) ) {

and change the following

} elseif ($connection == 'SSL') {

to:

} elseif ($connection == 'SSL' || ($page == FILENAME_CUSTOMERS || $page == FILENAME_ORDERS || $page == FILENAME_ORDERS_PACKINGSLIP || $page == FILENAME_ORDERS_INVOICE) ) {

Thats it! Now when you are in the orders or customer sections of your admin, your server will switch to secure mode. Post any questions or comments below.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

Nice One!!!!

 

I have been looking for a solution to thisone myself and have asked the question in these forums several times before, and not being a PHP guru this was a problem.

 

Thanks for the info...

 

 

Richard E

The solution is never too far away ...

Link to comment
Share on other sites

No, but you can auto-secure any specific admin files by adding them to the $page equals (and not equals) FILENAME_BLAH comparos...

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

Hi

 

Will it work on shared SSL. I have installed as according to your instruction but the browser say "The Page cannot be displayed".

 

When I click the customer, the browser was re-direct to

 

https://63.220.81.11/~ovxssl/ocx/admin/cust...d_box=customers

 

and the page cannot be displayed. Any idea why?

 

Thanks

Link to comment
Share on other sites

This contrib has nothing to do with your SSL *setup* per se... You must set your store's configuration to the correct values for your network.

 

If you are pointing your admin's SSL to the correct place in configuration.php and make the other small change outlined, then the mod will enter SSL for just the parts of your admin specified.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

Hi Nate,

 

I have installed the system in the following:

 

1. The main code is under the category directory.

2. My admin uses a sub-domain called admin.mydomain.com under the admin directory.

 

Here are the config under config.php:

 

// define our webserver variables

// FS = Filesystem (physical)

// WS = Webserver (virtual)

 

define('HTTP_SERVER', 'http://admin.mydomain.com');

define('HTTPS_SERVER', 'https://secure-net/~username/admin'); // secure webserver for admin

define('ENABLE_SSL', 'true'); // enable SSL for customers/orders viewing

 

define('HTTP_CATALOG_SERVER', 'http://mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://secure-net/~username');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/home/username/public_html/category/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/'); // absolute path required

define('DIR_FS_ADMIN', '/home/username/public_html/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/category/'); // absolute path required

define('DIR_FS_CATALOG', '/home/username/public_html/category/'); // absolute path required

 

I am not sure what went wrong. When the re-direct occurs, the pop-up sercure warning appears twice and I have to click OK twice to proceed. The no such page message appear???

 

Please point me to the right direction. Thanks. :rolleyes:

Link to comment
Share on other sites

  • 2 weeks later...

Glad (most) everyone has it working... thanks for the kudos, all!

 

akkinmore, sorry didn't get an email notification on your forum reply... It seems as though this is an issue with your SSL setup.... You should enter your admin in non-secure mode via the browser... And if you have a redirect to another secure URL, that will also make the SSL notice pop-up... Not an issue with this mod, per se.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

  • 4 weeks later...

I just installed this contribution, and it works fine. It's a very straight-forward solution to a real problem.

 

I have made the following modification to html_output.php, so you can arbitrarily add other files that use SSL, without having to modify the list in multiple places.

 

catalog/admin/includes/functions/html_output.php:

Instead of adding the following to each if statement:

($page != FILENAME_CUSTOMERS && $page != FILENAME_ORDERS  && $page != FILENAME_ORDERS_PACKINGSLIP  && $page != FILENAME_ORDERS_INVOICE)
or
($page == FILENAME_CUSTOMERS || $page == FILENAME_ORDERS || $page == FILENAME_ORDERS_PACKINGSLIP || $page == FILENAME_ORDERS_INVOICE)

I created an array at the top of the file:

// Define array of pages that require SSL
// Modification of EZ Secure Contrib
// 20040929 - BlackOps
$force_ssl_list = array(
       FILENAME_CUSTOMERS,
       FILENAME_ORDERS,
       FILENAME_ORDERS_PACKINGSLIP,
       FILENAME_ORDERS_INVOICE,
       FILENAME_CREATE_ACCOUNT,
       FILENAME_CREATE_ACCOUNT_PROCESS,
       FILENAME_CREATE_ACCOUNT_SUCCESS,
       FILENAME_CREATE_ORDER_PROCESS,
       FILENAME_CREATE_ORDER,
       FILENAME_EDIT_ORDERS
);

Then added the following line to the top of the function tep_href_link:

global $force_ssl_list;

Then, in the if statements, I added the following:

!in_array($page, $force_ssl_list)
or
in_array($page, $force_ssl_list)

 

So, the final if statements should look like:

if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) {
and
elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) {

Now, you may add any number of pages to the $force_ssl_list array, and each page in the array will use SSL.

 

The reason I created the array outside of the scope of the function, is that I can forsee wanting access to that lis of pages in another function.

Link to comment
Share on other sites

  • 4 weeks later...

Is there any reason for not making the entire admin section SSL?

 

I have my sites setup to force the admin site to use SSL, regardless of the page.

However, I do not recommend Forced SSL for those using dialup to access their server. Specifically if you are managing products.

 

I think your approach is good, nonetheless. Great Job.

Link to comment
Share on other sites

Is there any reason for not making the entire admin section SSL?

Yep, mostly for the reasons stated in the original post

 

"alleviating uneccessary strain on the SSL server and allowing generally quicker operation of nonSSL admin functions."

 

The speed difference wouldn't be much different on a dialup (save for downloading pages) as all the SSL processing would be done at the server... So it's really about saving server cycles....

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

  • 2 weeks later...

I got EZ Secure Order to work as it should with ms2 'Out of the box'. I have been trying to get this to work with this contribution:-

 

Administration Access Levels Acounts 2

 

I have added the following to admin/includes.config.php

 

define('HTTPS_SERVER', 'https://my_secure_server');
define('ENABLE_SSL', 'true');

 

and the following to admin/includes/functions/html

 

if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS) ){

 

and

 

elseif ($connection =='SSL' || ($page ==FILENAME_CUSTOMERS) ) {

 

as per the instructions in the contribution.

 

The result I am getting is that when I go to www.mywebsite.co.uk/admin it takes me to the login screen as expected via the ssl server ie https:// which is not what I expected. Once I login I can browse the admin pages non SSL ie http:// as I would expect. When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page.

 

What I am trying to achieve is https:// access to the login screen (so that username and password are protected), http:// access to most of the admin pages since these are not necessarily confidential but https:// access to protect customer datails on the 'customer', 'order' etc pages.

 

Has anyone achieved this?

 

Alan

Alan

Link to comment
Share on other sites

  • 4 months later...
I got EZ Secure Order to work as it should with ms2 'Out of the box'.? I have been trying to get this to work with this contribution:-

 

Administration Access Levels Acounts 2

 

I have added the following to admin/includes.config.php

 

define('HTTPS_SERVER', 'https://my_secure_server');
define('ENABLE_SSL', 'true');

 

and the following to admin/includes/functions/html

 

if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS) ){

 

and

 

elseif ($connection =='SSL' || ($page ==FILENAME_CUSTOMERS) ) {

 

as per the instructions in the contribution.

 

The result I am getting is that when I go to www.mywebsite.co.uk/admin it takes me to the login screen as expected via the ssl server ie https:// which is not what I expected.? Once I login I can browse the admin pages non SSL ie http:// as I would expect.? When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page.

 

What I am trying to achieve is https://? access to the login screen (so that username and password are protected), http:// access to most of the admin pages since these are not necessarily confidential but https:// access to protect? customer datails on the 'customer', 'order' etc pages.

 

Has anyone achieved this?

 

Alan

 

I have been having the same darn problem :( . This contribution worked great, even with the Admin Access contribution, but starting in December, it stopped working and I kept getting sent back to the login page. No matter how many times I relog in, I kept getting sent right back to login when trying to view the customer section.

Edited by secretuser
Link to comment
Share on other sites

  • 2 months later...

Hi I add your contribution , and it works great, but I am having a little trouble, cause my site was configure to use ssl in every module, and when i added your contribution, I stopped entering my admin site , and the index file in the catalog/admin/index.php is giving me errors and is not letting me in, so I cant use admin module to fix my site, or add products.

 

Thanks,

Link to comment
Share on other sites

  • 1 month later...
  • 6 months later...
I got EZ Secure Order to work as it should with ms2 'Out of the box'. I have been trying to get this to work with this contribution:-

 

Administration Access Levels Acounts 2

 

When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page.

 

I observed the same problem with the Administration Access Levels Accounts 2. I borrowed BlackOps' technique (below) for using an array, and since there was no preexisting admin/includes/config.php on my system (and since it didn't seem to have any affect), I placed all modifications in admin/includes/functions/html_output.php itself. First near the top:

$force_ssl_list = array(
   FILENAME_CUSTOMERS,
   FILENAME_ORDERS,
   FILENAME_ORDERS_PACKINGSLIP,
   FILENAME_ORDERS_INVOICE,
   FILENAME_CREATE_ACCOUNT,
   FILENAME_CREATE_ACCOUNT_PROCESS,
   FILENAME_CREATE_ACCOUNT_SUCCESS,
   FILENAME_CREATE_ORDER_PROCESS,
   FILENAME_CREATE_ORDER,
   FILENAME_EDIT_ORDERS,
   FILENAME_LOGIN,
   FILENAME_STATS_CUSTOMERS
);
define('ENABLE_SSL', true);
define('HTTPS_SERVER', 'https://metolius.loowit.net');

Note this makes the login and customers stats pages also SSL-only.

 

Then later in the file at the top of tep_href_link:

global $force_ssl_list;

 

and I replace:

if ($connection == 'NONSSL') {

with:

if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) {

 

and I replace:

} elseif ($connection == 'SSL') {

with:

} elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) {

 

Now all works well...

 

James

Link to comment
Share on other sites

  • 2 months later...

I've used this contribution before and have had no issues, however this time has proved more challenging.

 

I'm made the updates to the configure.php file. I then updated output_html.php file. When I change the output_html.php my whole admin area stops working and I see the following error:

 

Fatal error: Call to undefined function: tep_image() in /home/shopjuda/public_html/catalog/admin/includes/header.php on line 19

 

If I remove the two changed lines in output_html.php I can then acess the admin area again. The customer/order is never protected by SSL.

 

Any ideas of what might be wrong? Thanks for the assistance.

Barb

Link to comment
Share on other sites

Yep, probably just a syntax error when pasting in the stuff... look carefully that you aren't dropping a semi-colon, parenthisis, etc...

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...