Enabling .htaccess htpassword in Admin, Should there be 2 consecutive login pop ups?

[vampirehunter 15]

I have a question which hopefully someone can answer!

 

I activated and enabled the htpassword option in admin area.

 

However, when I log in, I get the Log In Pop form twice, is this correct behaviour?

 

So as soon as go to my admin url, i get the log in popup, and after entering my username,password, and press login, i get the same popup again, and after typing it again,

then im logged in.

 

Is this the correct behaviour?

Or should it be just once?

 

Am I supposed to have my normal admin login, and a different login for the htaccess part?

 

thanks

[Jack_mcs 947]

That usually happens when the admins configure file is not setup correctly. It is allowing you to login using a url with http and then it switches to https so you have to login again. This is a security hazard since the first login is being transmitted un-encrypted. Once the configure file is fixed, see this thread on how to force the ssl connection.

 

As for enabling the popup, using the method in the admin has a disadvantage since it uses the existing login. If a hacker were able to get the first login, he would already have the second, thus negating the extra security. Instead of using that option, use the control panels option to protect the directory, assuming your control panel has that option, and use a different username and password when you create it.

[MrPhil 648]

This might happen with any URL redirect (30x code, such as changing to https or adding www) -- you're getting one login for the initial contact, and then a second one for the changed URL coming back from the browser. I won't swear to that, but it seems plausible. Do you still get the double login even if you're careful to give the correct URL, so there shouldn't be any URL redirect?

 

Also keep in mind that using the osC-supplied password protection files might not work properly with some server configurations. You might also try removing that stuff, and using your hosting control panel's "password protect a directory". See if that makes any difference. You might then get a security complaint from osC that password protection isn't enabled, but you can ignore that message if it really is enabled.

[vampirehunter 15]

Hi thanks

I'll check the admin configuration file again.

 

I have got SSL installed and the SSL is for www domain.

 

I've forced the domain to always go to www in the htacess file in root directory.

[vampirehunter 15]

Is there a thread or post with uptodate info on setting the correct configuration file parameters?

I was pretty sure mine were correct, but will check again.

 

Thanks

[vampirehunter 15]

That usually happens when the admins configure file is not setup correctly. It is allowing you to login using a url with http and then it switches to https so you have to login again. This is a security hazard since the first login is being transmitted un-encrypted. Once the configure file is fixed, see this thread on how to force the ssl connection.

 

As for enabling the popup, using the method in the admin has a disadvantage since it uses the existing login. If a hacker were able to get the first login, he would already have the second, thus negating the extra security. Instead of using that option, use the control panels option to protect the directory, assuming your control panel has that option, and use a different username and password when you create it.

 

Ok, it seems you are right.

The first pop up is saying to log into http:

once thats submitted, the second pop up is now saying to log into the https:

 

this is the admin configures as its set up currently, is this ok? or is something missing? ive already added the force SSL into the admin htacess file as said above in the other thread.

<?php
  define('HTTP_SERVER', 'https://www.mywebsite.co.uk');
  define('HTTPS_SERVER', 'https://www.mywebsite.co.uk');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'www.mywebsite.co.uk');
  define('HTTPS_COOKIE_DOMAIN', 'www.mywebsite.co.uk');
  define('HTTP_COOKIE_PATH', '/mywebsiteadmin');
  define('HTTPS_COOKIE_PATH', '/mywebsiteadmin');
  define('HTTP_CATALOG_SERVER', 'https://www.mywebsite.co.uk');
  define('HTTPS_CATALOG_SERVER', 'https://www.mywebsite.co.uk');
  define('ENABLE_SSL_CATALOG', 'false');
  define('DIR_FS_DOCUMENT_ROOT', '/home/mywebsite/public_html/');
  define('DIR_WS_ADMIN', '/mywebsiteadmin/');
  define('DIR_WS_HTTPS_ADMIN', '/mywebsiteadmin/');
  define('DIR_FS_ADMIN', '/home/mywebsite/public_html/mywebsiteadmin/');
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_FS_CATALOG', '/home/mywebsite/public_html/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

  define('DB_SERVER', 'localhost');
  define('DB_SERVER_USERNAME', 'username');
  define('DB_SERVER_PASSWORD', 'password');
  define('DB_DATABASE', 'database');
  define('USE_PCONNECT', 'false');
  define('STORE_SESSIONS', 'mysql');
  define('CFG_TIME_ZONE', 'Europe/London');
?>

[vampirehunter 15]

That usually happens when the admins configure file is not setup correctly. It is allowing you to login using a url with http and then it switches to https so you have to login again. This is a security hazard since the first login is being transmitted un-encrypted. Once the configure file is fixed, see this thread on how to force the ssl connection.

 

As for enabling the popup, using the method in the admin has a disadvantage since it uses the existing login. If a hacker were able to get the first login, he would already have the second, thus negating the extra security. Instead of using that option, use the control panels option to protect the directory, assuming your control panel has that option, and use a different username and password when you create it.

 

This might happen with any URL redirect (30x code, such as changing to https or adding www) -- you're getting one login for the initial contact, and then a second one for the changed URL coming back from the browser. I won't swear to that, but it seems plausible. Do you still get the double login even if you're careful to give the correct URL, so there shouldn't be any URL redirect?

 

Also keep in mind that using the osC-supplied password protection files might not work properly with some server configurations. You might also try removing that stuff, and using your hosting control panel's "password protect a directory". See if that makes any difference. You might then get a security complaint from osC that password protection isn't enabled, but you can ignore that message if it really is enabled.

 

Hi sorry forget to mention before.

Im just typing the url to the admin without typing any http or https or www before the domain url.

Im using firefox.

 

The aim is to have the admin url always open to https:

 

What i have done is now is turn off the htaccess in the administrators area, and i can see that if i go to firefox and just type in the admin url without any http or https or www before the domain, it goes straight to the correct admin url which is https://mywebsite.co.uk/mywebsiteadmin

 

I will try use the Cpanel hosting directory to add the extra layer of protection rather than the oscommerce built in one most likely, as its clearly causing some issue, even though I think i filled in the admin config urls correctly in the previous post.

Not sure why it shouldn't go straight to https when the first pop up comes up.

[vampirehunter 15]

This might happen with any URL redirect (30x code, such as changing to https or adding www) -- you're getting one login for the initial contact, and then a second one for the changed URL coming back from the browser. I won't swear to that, but it seems plausible. Do you still get the double login even if you're careful to give the correct URL, so there shouldn't be any URL redirect?

 

Also keep in mind that using the osC-supplied password protection files might not work properly with some server configurations. You might also try removing that stuff, and using your hosting control panel's "password protect a directory". See if that makes any difference. You might then get a security complaint from osC that password protection isn't enabled, but you can ignore that message if it really is enabled.

 

i just used cpanel to password protect the admin directory, and thats giving the same issue

 

even if type in https in the browser url,

 

its popping up asking me for username/password to log into the http, then a second pop up comes again and this time asking so i can log into https.

 

why is the initial request to the https not being met? it seems like its going to http!

[vampirehunter 15]

That usually happens when the admins configure file is not setup correctly. It is allowing you to login using a url with http and then it switches to https so you have to login again. This is a security hazard since the first login is being transmitted un-encrypted. Once the configure file is fixed, see this thread on how to force the ssl connection.

 

As for enabling the popup, using the method in the admin has a disadvantage since it uses the existing login. If a hacker were able to get the first login, he would already have the second, thus negating the extra security. Instead of using that option, use the control panels option to protect the directory, assuming your control panel has that option, and use a different username and password when you create it.

 

here are the config files, are these correct?

Ive looked up and down the forums and can't find a recent post giving clear instructions on how to set out both files in the current edition of BS Oscommerce.

 

 

 

config

define('HTTP_SERVER', 'http://www.******.co.uk');
  define('HTTPS_SERVER', 'https://www.******.co.uk');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '.www.******.co.uk');
  define('HTTPS_COOKIE_DOMAIN', '.www.******.co.uk');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/home/******/public_html/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

admin config

  define('HTTP_SERVER', 'https://www.********.co.uk');
  define('HTTPS_SERVER', 'https://www.********.co.uk');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '');
  define('HTTPS_COOKIE_DOMAIN', '');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('HTTP_CATALOG_SERVER', 'https://www.********.co.uk');
  define('HTTPS_CATALOG_SERVER', 'https://www.********.co.uk');
  define('ENABLE_SSL_CATALOG', 'false');
  define('DIR_FS_DOCUMENT_ROOT', '/home/********/public_html/');
  define('DIR_WS_ADMIN', '/********/');
  define('DIR_WS_HTTPS_ADMIN', '/********/');
  define('DIR_FS_ADMIN', '/home/********/public_html/********/');
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_FS_CATALOG', '/home/********/public_html/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

htaccess in

 

public_html/includes/

# $Id$
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)

# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers

#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>

# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter

# AcceptPathInfo On

# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)

# php_value session.use_trans_sid 0
# php_value register_globals 1


# Redirect non-www urls to www
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.******\.co.uk
RewriteRule (.*) http://www.******.co.uk/$1 [R=301,L] 

These are the current files, and htaccess off in administrator, and also no password directory in cpanel as ive disabled it for now.

 

Currently, if i type the admin URL without www, it takes you to the URL with the https: prefix.

However, once there, if i remove the https: and reload it with just www. it reloads the admin url page with just www, so no https and no SSL.

 

It doesn't seem to be forcing SSL.

Shouldn't it be forcing SSL https whether i type in http, https, or www?

 

or would i need to do this in htaccess somehow?

 

its very confusing.

[vampirehunter 15]

from what i can gather, when htacess password protect is turned on, via admin or via cpanel method, it looks like the page is asking for authentication before the redirect is complete.

it cannot be the config settings can it?

looks like its a php redirect issue.

[MrPhil 648]

Im just typing the url to the admin without typing any http or https or www before the domain url.

I believe that should by default try http:, which means your .htaccess has to redirect to https:, which in turn could be forcing the double login. What happens when you explicitly type in https:?

 

Firefox will remember your URL, including the https:, so explicitly typing in https: just once should be remembered for you.

 

[Jack_mcs 947]

@@vampirehunter It's difficult to know what to respond to with so many posts since I don't know the current status. But there are two things I can say.

 

First, 'ENABLE_SSL_CATALOG'  in the admin configure file should be set to true.

 

Second, you said that you add the force ssl command but you also said you can get to the admin using http. If the force command is entered correctly, using http won't work. You should be shown a failure page, like access denied.

[vampirehunter 15]

@@vampirehunter It's difficult to know what to respond to with so many posts since I don't know the current status. But there are two things I can say.

 

First, 'ENABLE_SSL_CATALOG'  in the admin configure file should be set to true.

 

Second, you said that you add the force ssl command but you also said you can get to the admin using http. If the force command is entered correctly, using http won't work. You should be shown a failure page, like access denied.

hi thanks yes

 

im not sure if this is right.

 

this is the admin htaccess file. I can still access http.

SSLRequireSSL
# $Id$
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)

# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers

#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>

# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter

# AcceptPathInfo On

# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)

# php_value session.use_trans_sid 0
# php_value register_globals 1

[vampirehunter 15]

I believe that should by default try http:, which means your .htaccess has to redirect to https:, which in turn could be forcing the double login. What happens when you explicitly type in https:?

 

Firefox will remember your URL, including the https:, so explicitly typing in https: just once should be remembered for you.

 

 

Typing https:// will take you straight to the admin with the https intact

 

once on the page, if i remove the https: and reload the page, it will reload the page without https showing as unsecure.

[vampirehunter 15]

@@vampirehunter It's difficult to know what to respond to with so many posts since I don't know the current status. But there are two things I can say.

 

First, 'ENABLE_SSL_CATALOG'  in the admin configure file should be set to true.

 

Second, you said that you add the force ssl command but you also said you can get to the admin using http. If the force command is entered correctly, using http won't work. You should be shown a failure page, like access denied.

 

I added the force SSL, but can stll access the admin url without https:

 

seems like it is not forcing it to always use https:

 

Ive also turned on Cpanel Password directory protection again, and this is what happens when typing in following directly in browser URL.

 

1.) mywebsite.co.uk/admin

 

I get the pop up asking me to log into the http:// not https:

Only after entering my username/password once, do i get a second pop up now saying it will log me into https:

 

2.) www.mywebsite.co.uk/admin

I get the pop up asking me to log into the http:// not https:

Only after entering my username/password once, do i get a second pop up now saying it will log me into https:

 

3.)https://mywebsite.co.uk/admin

I get the pop up asking me to log into the http:// not https:

Only after entering my username/password once, do i get a second pop up now saying it will log me into https:

 

4.) https://www.mywebsite.co.uk/admin

I get the pop up asking me to log into the https, so no second pop up.

 

 

So the same behaviour is being shown as when I had the build in Oscommerce password protection turned on.

It seems to be asking twice for login, first is unsecure, second is secure.

 

I would like to be able to access the admin URL and always have it with https so no mistakes of logging in over unsecure can be made.

 

Just not sure what it is to be done having done the steps mentioned above.

[vampirehunter 15]

I believe that should by default try http:, which means your .htaccess has to redirect to https:, which in turn could be forcing the double login. What happens when you explicitly type in https:?

 

Firefox will remember your URL, including the https:, so explicitly typing in https: just once should be remembered for you.

 

 

typing in https://www.mywebsite.co.uk/admin directly in browser URL works and gives the pop up asking if i want to login to the https://

 

typing in https://mywebsite.co.uk/admin directly in browser URL doesn't work and gives pop up asking if i want to login to the http

 

 

is it case of simply always having to enter https://www in the browser URL when accessing the admin URL?

I suppose it can be lived with, but having it always forced to https would be much preferable, especially if forgetting to add https when typing the URL.

 

my main site htaccess in public_html/includes is this

 

 

# $Id$
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)

# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers

#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>

# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter

# AcceptPathInfo On

# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)

# php_value session.use_trans_sid 0
# php_value register_globals 1


# Redirect non-www urls to www
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.******\.co.uk
RewriteRule (.*) http://www.******.co.uk/$1 [R=301,L] 

[Jack_mcs 947]

@@vampirehunter There might be something on the server that is preventing the ssl command from working. Before the sslrequiressl command, place

 SSLOptions  -StrictRequire

If that doesn't work, you may want to ask your host to see if there is a reason it won't work on your server..

 

Also, as a quick test, rename the .htaccess file in the root directory and try connecting to admin using http. Please note that this will break your shop so do it quickly. It should only take you under a minute. If you are not able to use http, then something in the root .htaccess is overriding the command.

[MrPhil 648]

 

typing in https://www.mywebsite.co.uk/admin directly in browser URL works and gives the pop up asking if i want to login to the https://

 

typing in https://mywebsite.co.uk/admin directly in browser URL doesn't work and gives pop up asking if i want to login to the http

 

 

# Redirect non-www urls to www
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.******\.co.uk
RewriteRule (.*) http://www.******.co.uk/$1 [R=301,L] 

 

If you enter without www., it will add www. to the domain AND change it to http:!  If your site is to be strictly https, simply change http: to https: there. If you want the customer side to be normally http:, you would have to add a RewriteCond for %{HTTPS} off (leave it http), and then repeat the rewrite with HTTPS on and the new URL with https:. Or, there are some tricks you can do to grab the https/http status and put that into the RewriteRule. I don't remember it offhand, but it's been discussed several times recently.

 

If you fail to enter https:, it will have to go through the rewrite to change the default http: to https:, and you will probably get the double login. You could consider putting the entire site (or at least the store) under https:, and forcing http->https in the root or catalog directory, as well as forcing www. Then the password protection is a level down (in admin) and I don't think you'll get the double login, as the redirect for https or www is up higher.

[vampirehunter 15]

If you enter without www., it will add www. to the domain AND change it to http:!  If your site is to be strictly https, simply change http: to https: there. If you want the customer side to be normally http:, you would have to add a RewriteCond for %{HTTPS} off (leave it http), and then repeat the rewrite with HTTPS on and the new URL with https:. Or, there are some tricks you can do to grab the https/http status and put that into the RewriteRule. I don't remember it offhand, but it's been discussed several times recently.

 

If you fail to enter https:, it will have to go through the rewrite to change the default http: to https:, and you will probably get the double login. You could consider putting the entire site (or at least the store) under https:, and forcing http->https in the root or catalog directory, as well as forcing www. Then the password protection is a level down (in admin) and I don't think you'll get the double login, as the redirect for https or www is up higher.

 

ok thanks

I see. so i would need to sort this via rewrite.

 

the main site is http and only the logged in sections should be https;

 

only the admin needs https.

 

well im testing this i found this page here

 

http://stackoverflow.com/questions/3307025/force-https-on-certain-urls-and-force-http-for-all-others

 

and used the below code in the public_html/htaccess file under the other rewrite, it sems to be working I think.

# Force HTTPS for /myadmin
RewriteCond %{HTTPS} !=on
RewriteCond %{THE_REQUEST} ^[A-Z]+\s/myadmin [NC]
RewriteRule ^(myadmin) https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

Ive taken out the Force SSL in the admin htaccess, and just added the above code in the public_html/htaccess seems to be working.

 

Ive turned on Password protect directory in Cpanel on the admin directory, and now if i type in any of these combinations

 

http://

without http:// or https://

https://

www

 

i only get 1 same pop up now asking me if i want to log into the https admin.

[MrPhil 648]

Sounds like a plan! By the way, if you force www in your store (catalog) .htaccess, make sure you don't accidentally turn https (for certain pages) into http! You'll need to either find the redirect code to determine http or https and use that in the rewrite rule, or split the www force into http and https versions.

[vampirehunter 15]

Sounds like a plan! By the way, if you force www in your store (catalog) .htaccess, make sure you don't accidentally turn https (for certain pages) into http! You'll need to either find the redirect code to determine http or https and use that in the rewrite rule, or split the www force into http and https versions.

 

Do you have example of this?

 

I just checked the catalog pages

 

and if i go to a https loaded page. if i remove the https and reload the page with just www. it reloads the page without the https and secure SSL.

[vampirehunter 15]

RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ - [env=protocol:https]

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ - [env=protocol:http]

RewriteCond %{HTTP_HOST} !^www.mysite.co.uk$ [NC]
RewriteRule ^(.*)$ %{ENV:protocol}://www.mysite.co.uk/$1 [L,R=301]

been trying this, but still no luck on making sure that if a https page is reloaded without https, that it redirects only to the https version

 

at the moment, i can still access a https without https if you just remove the https in browser url and reload