Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

dr_lucas

Force SSL on login.php, create_account.php & any page via .htaccess

5 posts in this topic

I was browsing a few threads here today, all said it's not possible to force SSL on specific page via .htaccess

Was trying to respond, but unfortunately the topic are archived and no longer accept responses (why archived? even a topic from 2011!?)

Anyway, it is possible to do that via .htaccess, just add these lines to the very bottom of your catalog/.htaccess and always be sure to leave at least 1 blank line at the end of the .htaccess file:

 

# Force SSL on specific pages
<IfModule mod_rewrite.c>
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/(login\.php|create_account\.php|checkout_shipping\.php|checkout_payment\.php|checkout_confirmation\.php)
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [L]
</IfModule>

Share this post


Link to post
Share on other sites

I thought that a correctly set up oscommerce cart used https on those pages if you had a ssl certificate and set up both of the configure files correctly. May be I was wrong and this is needed, but I don't think I am.

Share this post


Link to post
Share on other sites

While this may be the case, many stores are configured differently, have templates with hard coded http (instead of https) links, etc.

Also some people, for any reason, may try to or be able to manually remove the https from the URL and connect to certain pages via http instead.

Using this method, you ensure that this will no longer be possible. Besides, the code is easily modifiable to include or exclude from forcing-SSL any page the store admin wants by changing:

 

RewriteCond %{REQUEST_URI} ^/(login\.php|create_account\.php|checkout_shipping\.php|checkout_payment\.php|checkout_confirmation\.php)

For example, to

RewriteCond %{REQUEST_URI} ^/(advanced_search_results\.php) # Will force SSL on advanced_search.results.php

Share this post


Link to post
Share on other sites

It is possible to force SSL on all pages (which would be best) just configure it in your configure.php files

 

includes/configure.php

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTPS_SERVER', 'https://yoursite.com');
define('ENABLE_SSL', true);

 

admin/includes/configure.php

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTP_CATALOG_SERVER', 'https://yoursite.com');
define('HTTPS_CATALOG_SERVER', 'https://yoursite.com');
define('ENABLE_SSL_CATALOG', true);

 

The important part of this code is the 'https://yoursite.com' for HTTP_SERVER not just the HTTPS_SERVER. This forces HTTPS even when the user types in a plan http address or the link is hard coded.

Share this post


Link to post
Share on other sites

@@14steve14 This fix has been around for a while. It is considered a security error because the url will work in non-ssl mode, which means the data entered would not be encrypted. I don't think anyone would deliberately change the url but purchased templates are notorious for adding links to those pages that do not use ssl.

 

@T. Thomas That will work but is a bad idea. The reasons have been stated a number of times in various threads here on the forums if you want to look those up.

dr_lucas likes this

Share this post


Link to post
Share on other sites