X-Cart forums

[lixy]

How can I force all admin sessions to be conducted via HTTPS? I want any admin attempting to access the admin area using HTTP to be redirected to the HTTPS login area.

[B00MER]

I do this to my admin/orders.php and provider/oders.php as sensitive info is stored with the customers cc so I add the following include at the top of the orders.php:

Code:

@include "../customer/https.php";

And make adjustments in customer/https.php:

Code:

$https_scripts = array("orders.php","cart.php");

You'll need to add the include on every area in the admin you want secure so if it is hit with http it will switch over, you'll also need to add the filename of the admin php script your wanting to secure, note ive got orders.php in my $https_scripts array.

hth.

[lixy]

Boomer, that worked perfect! Thanks alot for the help.

[brian]

I wanted the entire admin section to be https, so I added the following to admin/auth.php:

Code:

# Force the admin section to be secure
if($HTTPS != "on"){
	$xcart_host = ($HTTPS == "on" ? $xcart_https_host : $xcart_http_host);
	$pos = strpos($xcart_host, "/");                                                                                                                   
	$dir = $pos !== false ? substr($xcart_host, $pos) : "";
	$current_script = substr($REQUEST_URI, strlen($dir) + strlen($xcart_web_dir));
	$additional_query = ($QUERY_STRING?"&":"?").(strstr($QUERY_STRING,"XCARTSESSID")?"":"XCARTSESSID=$XCARTSESSID");
	header("Location: $https_location".$current_script.$additional_query);
}

Now if you visit the admin section at http you are redirected to https. So far so good.

Brian

[lixy]

Brian,

That is exactly what I was looking for - thanks alot. Forced SSL Admin working 100%

[jolandia]

Thanks a lot, I tried this as well and it seems to work fine! I haven't tested it extensively, but I assume that in theory there should be no way now to access the admin functions without https? Obviously this is very important with regard to credit card details, as we all appreciate.

[e1front]

When i click on the "generate db"

the dialog box asks me if i want to save or open,
i tryed both

then a new dialog box opens with the following message

Quote:

getting file information
db_backup.php

then after a minute I get this message,

Quote:

Internet Explorer cannot download db_backup.php from www.yoursite.com
Internet Expolrer wasn't able to open this internet site.
The requested site is either unavailable or cannot be found. Please try again later.

Quote:

if($HTTPS != "on"){
$xcart_host = ($HTTPS == "on" ? $xcart_https_host : $xcart_http_host);
$pos = strpos($xcart_host, "/");
$dir = $pos !== false ? substr($xcart_host, $pos) : "";
$current_script = substr($REQUEST_URI, strlen($dir) + strlen($xcart_web_dir));
$additional_query = ($QUERY_STRING?"&":"?").(strstr($QUERY_STRING,"XCA RTSESSID")?"":"XCARTSESSID=$XCARTSESSID");
header("Location: $https_location".$current_script.$additional_query );
}
# end of code

when i ereased this piece of code, The "generate SQL file worked fine ....

So how can i work out this conflict???
please help

[Chris B]

Make sure your database has a connection via localhost.

I've seen this problem when x-cart is making a database connection via a URL or IP address.

(Therefore, the data is being transferred through an insecure connection.)

[nfc5382]

i just modified the following for complete https access:

customer/https.php:

Code:

# everything https
function is_https_link($link, $https_scripts) {
        return true;
}

and for admin login - admin/auth.php:

add this to the top:

Code:

@include "../customer/https.php"; 

i just added the support for admin login but I have been using the whole site as https b/c many customers complained about portions of the site not secure. Personally I think they are parinoid, but if it will make them happy i'll accomodate for them!

[kangus]

Fatal error: Cannot redeclare is_https_link() (previously declared in /home/nquest/public_html/store/customer/https.php:54) in /home/nquest/public_html/store/customer/https.php on line 54