Force HTTPS administration
How can I force all admin sessions to be conducted via HTTPS? I want any admin attempting to access the admin area using HTTP to be redirected to the HTTPS login area.
|
I do this to my admin/orders.php and provider/oders.php as sensitive info is stored with the customers cc so I add the following include at the top of the orders.php:
Code:
@include "../customer/https.php"; And make adjustments in customer/https.php: Code:
$https_scripts = array("orders.php","cart.php"); You'll need to add the include on every area in the admin you want secure so if it is hit with http it will switch over, you'll also need to add the filename of the admin php script your wanting to secure, note ive got orders.php in my $https_scripts array. hth. ;) |
Boomer, that worked perfect! Thanks alot for the help.
|
I wanted the entire admin section to be https, so I added the following to admin/auth.php:
Code:
# Force the admin section to be secure Now if you visit the admin section at http you are redirected to https. So far so good. Brian |
Brian,
That is exactly what I was looking for - thanks alot. Forced SSL Admin working 100% |
Thanks a lot, I tried this as well and it seems to work fine! I haven't tested it extensively, but I assume that in theory there should be no way now to access the admin functions without https? Obviously this is very important with regard to credit card details, as we all appreciate. :o
|
works 100% but now i can't generate sql files
When i click on the "generate db"
the dialog box asks me if i want to save or open, i tryed both then a new dialog box opens with the following message Quote:
then after a minute I get this message, Quote:
Quote:
So how can i work out this conflict??? please help |
Forced administration ssl
Make sure your database has a connection via localhost.
I've seen this problem when x-cart is making a database connection via a URL or IP address. (Therefore, the data is being transferred through an insecure connection.) |
i just modified the following for complete https access:
customer/https.php: Code:
# everything https and for admin login - admin/auth.php: add this to the top: Code:
@include "../customer/https.php"; i just added the support for admin login but I have been using the whole site as https b/c many customers complained about portions of the site not secure. Personally I think they are parinoid, but if it will make them happy i'll accomodate for them! |
3.5.1 does not work with HTTPS
Fatal error: Cannot redeclare is_https_link() (previously declared in /home/nquest/public_html/store/customer/https.php:54) in /home/nquest/public_html/store/customer/https.php on line 54
|
I havent thought of using HTTPS yet, but I can see the importance now, so how can I make this done or configured on a VPS?
|
If your talking about using a system where your users are sent to a different company who deals with the payment part of the sale then they should take care of the secure side themselves
|
I think that's what I will have to do for the moment, but in the meanwhile do you know how to set it up (SSL) on a VPS ?
|
the position of the include seems to make a difference
With 3.5.1 I tried the https include before the require's and it fails
But this seems to work. # $Id: orders.php,v 1.17 2003/08/11 10:44:46 svowl Exp $ # require "./auth.php"; require $xcart_dir."/include/security.php"; if ($config["General"]["secure_store"]=="Y"){ @include "../customer/https.php"; } Then add this to the database INSERT INTO `xcart_config` VALUES ('secure_store', 'Enable Secure Store', 'Y', 'General', 5, 'checkbox', 'Y'); And modify https.php with: if ($config["General"]["secure_store"]=="Y"){ $https_scripts = array("register.php","cart.php?mode=checkout","ord ers.php","order.php"); } else{ $https_scripts = array(); } I move the UNTOUCHED original files into my "patch" backup directory and add them to my "Patch-setup" script - before I patch I copy all changed files from the site with directory paths and replace them with these backups - If I need to, if the file name in not in the file.lst with the patch then the script by-passes the file. |
Entire Store in HTTPS (Customers & Admin) ???
Hi all,
In this thread I was reading how to change the entire store to HTTPS. Can somebody shed some light on this. I think it is great, and have just made the changes to 3.4.11 and it works perfect so far. Why is this not common practice ??? Is this a performance thing ??? Will my Web Host provider complain ??? Please tell me why it should not be HTTPS.... Garry |
HTTPS
You should only enable HTTPS on personal information and ADMIN functions that expose personal information. Encrypting everything sucks CPU so if you what your customers to have a snappy response only use HTTPS on personal information and ADMIN functions.
|
All times are GMT -8. The time now is 09:19 PM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.