Should the admin area be secure?

[Enrico]

The store in question is secure, but admin area isn't. My client wants it to be. Is the admin area normally protected, should it be? How might that be done?

 

THANKS!!

[Guest]

it can be done, however there are some drawbacks. i know the backup.php must be modified, if it causes time outs.

i dont remember what or where, would have to try to find that.

 

if you want it to be secure, change the top line http://www.domain.com to https://www.domain.com

[stevel]

I'm not sure what John is referring to...

 

There are two things to do, both simple and they don't interfere with any functionality.

 

1) In admin/includes/configure.php, change HTTP_SERVER to be your https URL base.

2) Access the admin panel using your https URL. You can also cause it to automatically redirect to https as follows:

 

In admin/index.php, add the following lines after the require of application_top.php:

if ($_SERVER['HTTPS'] != "on" && substr(HTTP_SERVER, 0, 5) == 'https')  {
  header("Location: ".tep_href_link(FILENAME_DEFAULT));
}

 

You should also use .htaccess to password-protect your admin panel.

[Guest]

in the admin/includes/configure.php file you only have to change the top line from http to https and as long as ssl is enabled then it switches to ssl. this way you dont take a chance on mucking up your code.

[stevel]

The code change is really not needed - but without it, if you access your admin home page without SSL, you'll see a warning that you're not SSL protected. Some people don't like that.