Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Time to get secure (if you haven't already)


frankl

Recommended Posts

If you want SSL sitewide, you have to change http://... to https://... in all places in both config.php files. That's as a minimum. As John said, if the warning still pops up, you have a hard coded http://... or two somewhere you'll need to find.

Link to comment
Share on other sites

  • Replies 140
  • Created
  • Last Reply
5 hours ago, John W said:

@tightwad

Look in your admin template_top.php for where that css is called and change it to this.


<link rel="stylesheet" href="../ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css">

 

That error was one of many related to the CSS/jquery.  I have this in my admin/template_top.php.  I'm not sure how to make the change you suggest:

<base href="<?php echo ($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_ADMIN : HTTP_SERVER . DIR_WS_ADMIN; ?>" />
<!--[if IE]><script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/excanvas.min.js', '', 'SSL'); ?>"></script><![endif]-->
<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css', '', 'SSL'); ?>">
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/jquery-2.2.3.min.js', '', 'SSL'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/jquery-ui-1.10.4.min.js', '', 'SSL'); ?>"></script>
6 hours ago, MrPhil said:

If you want SSL sitewide, you have to change http://... to https://... in all places in both config.php files. That's as a minimum. As John said, if the warning still pops up, you have a hard coded http://... or two somewhere you'll need to find.

 

11 hours ago, BrockleyJohn said:

@tightwad the oscommerce code was designed only to make the checkout process secure (the enable SSL toggle just affects that bit).

For the whole site secure, set the HTTP_SERVER values to https: as well as the HTTPS_SERVER values

If you still get mixed content warnings then http:// is hard-coded and you'll have to track down exactly where

I tried changing the config.php files to:

  define('HTTP_SERVER', 'https://www.mysiteURL.com');
  define('HTTPS_SERVER', 'https://www.mysiteURL.com');

I still get errors on:

Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.mysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/jquery-2.2.3.min.js'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/ui/jquery-ui-1.10.4.min.js'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://wwwmysiteURL/ext/flot/jquery.flot.min.js'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL/ext/flot/jquery.flot.time.min.js'. This content should also be served over HTTPS.
6Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure image '<URL>'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.

I appreciate the help and responses...I feel it's so close to working right, I'm looking forward to moving forward with template/UI changes!

Link to comment
Share on other sites

Simple fix find

http://www.mysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'

and change to

https://www.mysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'

find

http://www.mysiteURL/images/stars_5.gif'

  and change to 

https://www.mysiteURL/images/stars_5.gif'

any url used in a SSL site must come from a SSL site.

 

Link to comment
Share on other sites

1 hour ago, John W said:

Post your template_top.php from your admin and we'll help you fix this.

<?php
/*
  $Id$

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2014 osCommerce

  Released under the GNU General Public License
*/
?>
<!DOCTYPE html>
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<meta name="robots" content="noindex,nofollow">
<title><?php echo TITLE; ?></title>
<base href="<?php echo ($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_ADMIN : HTTP_SERVER . DIR_WS_ADMIN; ?>" />
<!--[if IE]><script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/excanvas.min.js', '', 'SSL'); ?>"></script><![endif]-->
<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css', '', 'SSL'); ?>">
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/jquery-2.2.3.min.js', '', 'SSL'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/jquery-ui-1.10.4.min.js', '', 'SSL'); ?>"></script>

<?php
  if (tep_not_null(JQUERY_DATEPICKER_I18N_CODE)) {
?>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/i18n/jquery.ui.datepicker-' . JQUERY_DATEPICKER_I18N_CODE . '.js', '', 'SSL'); ?>"></script>
<script type="text/javascript">
$.datepicker.setDefaults($.datepicker.regional['<?php echo JQUERY_DATEPICKER_I18N_CODE; ?>']);
</script>
<?php
  }
?>

<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/jquery.flot.min.js', '', 'SSL'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/jquery.flot.time.min.js', '', 'SSL'); ?>"></script>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<script type="text/javascript" src="includes/general.js"></script>
</head>
<body>

<?php require('includes/header.php'); ?>

<?php
  if (tep_session_is_registered('admin')) {
    include('includes/column_left.php');
  } else {
?>

<style>
#contentText {
  margin-left: 0;
}
</style>

<?php
  }
?>

<div id="contentText">

 

There is an .htaccess at the root(catalog) level as well as the Admin level, both contain at the top:

 

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

 

Link to comment
Share on other sites

Okay, change this line

<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css', '', 'SSL'); ?>">

to this

<link rel="stylesheet" href="../ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css">

Let us know if you still have a problem.

I'm not really a dog.

Link to comment
Share on other sites

Thanks!  That appears to have resolved the issue with that call.  I have these as well, but the format is different so I wasn't able to apply the exact same treatment:

orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/jquery-2.2.3.min.js'. This content should also be served over HTTPS.
orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/ui/jquery-ui-1.10.4.min.js'. This content should also be served over HTTPS.
orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/flot/jquery.flot.min.js'. This content should also be served over HTTPS.
orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/flot/jquery.flot.time.min.js'. This content should also be served over HTTPS.

 

Link to comment
Share on other sites

For the first two change to

<script type="text/javascript" src="../ext/jquery/jquery-2.2.3..min.js"></script>
<script type="text/javascript" src="../ext/jquery/ui/jquery-ui-1.10.4.min.js"></script>

Your other two should work as long as your config is correct.

I'm not really a dog.

Link to comment
Share on other sites

19 hours ago, John W said:

<script type="text/javascript" src="../ext/jquery/jquery-2.2.3..min.js"></script>

this it should be 
 

<script type="text/javascript" src="../ext/jquery/jquery-2.2.3.min.js"></script>

there is an extra (.) after (jquery-2.2.3.)

Get the latest Responsive osCommerce CE (community edition) here .

Link to comment
Share on other sites

Thanks!  That fixed it, and I was able to take the same fix to the other 2 jquery rows as well.  WhyNoPadlock now tells me I have no mixed content (but they see an SSL cert problem I don't understand).  Most of the console warnings are gone.   Thanks so much for the help!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...