Jump to content
Sign in to follow this  
nate_02631

[contribution] EZ Secure Order & Customer Viewing

Recommended Posts

Ez Secure Order & Customer Viewing for osCommerce

 

This contribution addresses an issue with the store admin to allow secure viewing and editing of order and customer details while allowing the rest of the admin to remain in standard mode -- alleviating uneccessary strain on the SSL server and allowing generally quicker operation of nonSSL admin functions.

 

It involves adding two simple lines to the admin config file and slightly altering the tep_href_link function of the admin's includes/html_output.php file. It has been tested with MS 2.2 but will likely work on older versions as well.

 

In the admin/includes/config.php file add the following two lines:

define('HTTPS_SERVER', 'https://your-secure-server.com'); // secure webserver for admin
define('ENABLE_SSL', 'true');	// enable SSL for customers/orders viewing

Altering the server value to the name of your secure server. In general, it is the same as the HTTPS_CATALOG_SERVER value.

 

Then find the tep_href_link function in the admin/includes/functions/html_output.php

 

Change

if ($connection == 'NONSSL') {

to:

if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS && $page != FILENAME_ORDERS  && $page != FILENAME_ORDERS_PACKINGSLIP  && $page != FILENAME_ORDERS_INVOICE) ) {

and change the following

} elseif ($connection == 'SSL') {

to:

} elseif ($connection == 'SSL' || ($page == FILENAME_CUSTOMERS || $page == FILENAME_ORDERS || $page == FILENAME_ORDERS_PACKINGSLIP || $page == FILENAME_ORDERS_INVOICE) ) {

Thats it! Now when you are in the orders or customer sections of your admin, your server will switch to secure mode. Post any questions or comments below.


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

Nice One!!!!

 

I have been looking for a solution to thisone myself and have asked the question in these forums several times before, and not being a PHP guru this was a problem.

 

Thanks for the info...

 

 

Richard E


The solution is never too far away ...

Share this post


Link to post
Share on other sites

I have just carried out the changes but it isn't swapping over to the secure server!

 

Guess it is something I have done1

 

I have checked and double checked code and it is as stated.

 

Any ideas?

Share this post


Link to post
Share on other sites

Fixed!

 

For some reason FTP would not overwrite config file so it wasn't updating.

 

Had to rename then upload new version.

 

Great contribution.

Share this post


Link to post
Share on other sites

HI!

This might be just what I'm looking for! Was wondering if it also secures the payment module account information, as well as shipping account username/password info if i used usps?

Share this post


Link to post
Share on other sites

No, but you can auto-secure any specific admin files by adding them to the $page equals (and not equals) FILENAME_BLAH comparos...


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

Make sure you have your USE_SSL config options set to true, and the appropriate SSL servers specified...


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

This contrib has nothing to do with your SSL *setup* per se... You must set your store's configuration to the correct values for your network.

 

If you are pointing your admin's SSL to the correct place in configuration.php and make the other small change outlined, then the mod will enter SSL for just the parts of your admin specified.


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

Hi Nate,

 

I have installed the system in the following:

 

1. The main code is under the category directory.

2. My admin uses a sub-domain called admin.mydomain.com under the admin directory.

 

Here are the config under config.php:

 

// define our webserver variables

// FS = Filesystem (physical)

// WS = Webserver (virtual)

 

define('HTTP_SERVER', 'http://admin.mydomain.com');

define('HTTPS_SERVER', 'https://secure-net/~username/admin'); // secure webserver for admin

define('ENABLE_SSL', 'true'); // enable SSL for customers/orders viewing

 

define('HTTP_CATALOG_SERVER', 'http://mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://secure-net/~username');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/home/username/public_html/category/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/'); // absolute path required

define('DIR_FS_ADMIN', '/home/username/public_html/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/category/'); // absolute path required

define('DIR_FS_CATALOG', '/home/username/public_html/category/'); // absolute path required

 

I am not sure what went wrong. When the re-direct occurs, the pop-up sercure warning appears twice and I have to click OK twice to proceed. The no such page message appear???

 

Please point me to the right direction. Thanks. :rolleyes:

Share this post


Link to post
Share on other sites

Glad (most) everyone has it working... thanks for the kudos, all!

 

akkinmore, sorry didn't get an email notification on your forum reply... It seems as though this is an issue with your SSL setup.... You should enter your admin in non-secure mode via the browser... And if you have a redirect to another secure URL, that will also make the SSL notice pop-up... Not an issue with this mod, per se.


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

I just installed this contribution, and it works fine. It's a very straight-forward solution to a real problem.

 

I have made the following modification to html_output.php, so you can arbitrarily add other files that use SSL, without having to modify the list in multiple places.

 

catalog/admin/includes/functions/html_output.php:

Instead of adding the following to each if statement:

($page != FILENAME_CUSTOMERS && $page != FILENAME_ORDERS  && $page != FILENAME_ORDERS_PACKINGSLIP  && $page != FILENAME_ORDERS_INVOICE)
or
($page == FILENAME_CUSTOMERS || $page == FILENAME_ORDERS || $page == FILENAME_ORDERS_PACKINGSLIP || $page == FILENAME_ORDERS_INVOICE)

I created an array at the top of the file:

// Define array of pages that require SSL
// Modification of EZ Secure Contrib
// 20040929 - BlackOps
$force_ssl_list = array(
       FILENAME_CUSTOMERS,
       FILENAME_ORDERS,
       FILENAME_ORDERS_PACKINGSLIP,
       FILENAME_ORDERS_INVOICE,
       FILENAME_CREATE_ACCOUNT,
       FILENAME_CREATE_ACCOUNT_PROCESS,
       FILENAME_CREATE_ACCOUNT_SUCCESS,
       FILENAME_CREATE_ORDER_PROCESS,
       FILENAME_CREATE_ORDER,
       FILENAME_EDIT_ORDERS
);

Then added the following line to the top of the function tep_href_link:

global $force_ssl_list;

Then, in the if statements, I added the following:

!in_array($page, $force_ssl_list)
or
in_array($page, $force_ssl_list)

 

So, the final if statements should look like:

if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) {
and
elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) {

Now, you may add any number of pages to the $force_ssl_list array, and each page in the array will use SSL.

 

The reason I created the array outside of the scope of the function, is that I can forsee wanting access to that lis of pages in another function.

Share this post


Link to post
Share on other sites

Is there any reason for not making the entire admin section SSL?

 

I have my sites setup to force the admin site to use SSL, regardless of the page.

However, I do not recommend Forced SSL for those using dialup to access their server. Specifically if you are managing products.

 

I think your approach is good, nonetheless. Great Job.


If it weren't for tweakers, I would not have a job.

Share this post


Link to post
Share on other sites
Is there any reason for not making the entire admin section SSL?

Yep, mostly for the reasons stated in the original post

 

"alleviating uneccessary strain on the SSL server and allowing generally quicker operation of nonSSL admin functions."

 

The speed difference wouldn't be much different on a dialup (save for downloading pages) as all the SSL processing would be done at the server... So it's really about saving server cycles....


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

I got EZ Secure Order to work as it should with ms2 'Out of the box'. I have been trying to get this to work with this contribution:-

 

Administration Access Levels Acounts 2

 

I have added the following to admin/includes.config.php

 

define('HTTPS_SERVER', 'https://my_secure_server');
define('ENABLE_SSL', 'true');

 

and the following to admin/includes/functions/html

 

if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS) ){

 

and

 

elseif ($connection =='SSL' || ($page ==FILENAME_CUSTOMERS) ) {

 

as per the instructions in the contribution.

 

The result I am getting is that when I go to www.mywebsite.co.uk/admin it takes me to the login screen as expected via the ssl server ie https:// which is not what I expected. Once I login I can browse the admin pages non SSL ie http:// as I would expect. When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page.

 

What I am trying to achieve is https:// access to the login screen (so that username and password are protected), http:// access to most of the admin pages since these are not necessarily confidential but https:// access to protect customer datails on the 'customer', 'order' etc pages.

 

Has anyone achieved this?

 

Alan


Alan

Share this post


Link to post
Share on other sites
I got EZ Secure Order to work as it should with ms2 'Out of the box'.? I have been trying to get this to work with this contribution:-

 

Administration Access Levels Acounts 2

 

I have added the following to admin/includes.config.php

 

define('HTTPS_SERVER', 'https://my_secure_server');
define('ENABLE_SSL', 'true');

 

and the following to admin/includes/functions/html

 

if ($connection == 'NONSSL' && ($page != FILENAME_CUSTOMERS) ){

 

and

 

elseif ($connection =='SSL' || ($page ==FILENAME_CUSTOMERS) ) {

 

as per the instructions in the contribution.

 

The result I am getting is that when I go to www.mywebsite.co.uk/admin it takes me to the login screen as expected via the ssl server ie https:// which is not what I expected.? Once I login I can browse the admin pages non SSL ie http:// as I would expect.? When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page.

 

What I am trying to achieve is https://? access to the login screen (so that username and password are protected), http:// access to most of the admin pages since these are not necessarily confidential but https:// access to protect? customer datails on the 'customer', 'order' etc pages.

 

Has anyone achieved this?

 

Alan

 

I have been having the same darn problem :( . This contribution worked great, even with the Admin Access contribution, but starting in December, it stopped working and I kept getting sent back to the login page. No matter how many times I relog in, I kept getting sent right back to login when trying to view the customer section.

Edited by secretuser

Share this post


Link to post
Share on other sites

Hi I add your contribution , and it works great, but I am having a little trouble, cause my site was configure to use ssl in every module, and when i added your contribution, I stopped entering my admin site , and the index file in the catalog/admin/index.php is giving me errors and is not letting me in, so I cant use admin module to fix my site, or add products.

 

Thanks,

Share this post


Link to post
Share on other sites

Sorry, I don't follow. Providing specific error messages would be helpful...


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

Tony,

Excellent structural approach! Now when I complete my workoder for our shop floor it's a piece of cake to add it to the list.

Patrick

Share this post


Link to post
Share on other sites
I got EZ Secure Order to work as it should with ms2 'Out of the box'. I have been trying to get this to work with this contribution:-

 

Administration Access Levels Acounts 2

 

When I try to acess the 'Customer' areas I would hope to access via https:// however what does happen is that I arrive back at the login page.

 

I observed the same problem with the Administration Access Levels Accounts 2. I borrowed BlackOps' technique (below) for using an array, and since there was no preexisting admin/includes/config.php on my system (and since it didn't seem to have any affect), I placed all modifications in admin/includes/functions/html_output.php itself. First near the top:

$force_ssl_list = array(
   FILENAME_CUSTOMERS,
   FILENAME_ORDERS,
   FILENAME_ORDERS_PACKINGSLIP,
   FILENAME_ORDERS_INVOICE,
   FILENAME_CREATE_ACCOUNT,
   FILENAME_CREATE_ACCOUNT_PROCESS,
   FILENAME_CREATE_ACCOUNT_SUCCESS,
   FILENAME_CREATE_ORDER_PROCESS,
   FILENAME_CREATE_ORDER,
   FILENAME_EDIT_ORDERS,
   FILENAME_LOGIN,
   FILENAME_STATS_CUSTOMERS
);
define('ENABLE_SSL', true);
define('HTTPS_SERVER', 'https://metolius.loowit.net');

Note this makes the login and customers stats pages also SSL-only.

 

Then later in the file at the top of tep_href_link:

global $force_ssl_list;

 

and I replace:

if ($connection == 'NONSSL') {

with:

if ($connection == 'NONSSL' && !in_array($page, $force_ssl_list)) {

 

and I replace:

} elseif ($connection == 'SSL') {

with:

} elseif ($connection == 'SSL' || in_array($page, $force_ssl_list)) {

 

Now all works well...

 

James

Share this post


Link to post
Share on other sites

I've used this contribution before and have had no issues, however this time has proved more challenging.

 

I'm made the updates to the configure.php file. I then updated output_html.php file. When I change the output_html.php my whole admin area stops working and I see the following error:

 

Fatal error: Call to undefined function: tep_image() in /home/shopjuda/public_html/catalog/admin/includes/header.php on line 19

 

If I remove the two changed lines in output_html.php I can then acess the admin area again. The customer/order is never protected by SSL.

 

Any ideas of what might be wrong? Thanks for the assistance.

Barb

Share this post


Link to post
Share on other sites

Yep, probably just a syntax error when pasting in the stuff... look carefully that you aren't dropping a semi-colon, parenthisis, etc...


** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×