Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

securing the admin pages?


sanddragon2004

Recommended Posts

I would like to know the answer too. I saw the following warning in the Admin index page:

 

"You are not protected by a secure SSL connection."

 

So I think my question will be how to SSL secure the folders/files under the Admin?

 

Thanks.

 

 

:rolleyes:

Link to comment
Share on other sites

can some one give me some advice on securing the admin pages?

 

/admin/index.php

 

???

Use Directory Password Protect feature from your host or search the internet for .htaccess password.

Link to comment
Share on other sites

Also, osCommerce does not give you the option of using SSL for the admin section by default. You'll have to edit the following line in catalog/admin/includes/configure.php

 

  define('HTTP_SERVER', 'https://www.amazon.com');

(note the https)

 

Of course, do this only after you have an SSL certificate installed.

Link to comment
Share on other sites

My shared hosting allows us to password protect directories, but doing so adds a .htaccess file to the directory. Right now mt catalog and admin directories already have ones that apparently do something for SSL and Internet explorer. Should I delete these to make room? Is that safe?

Meahwhile, what security measures need to be taken for the configure files? I heard they need to be write protected but any more so than each part of my site? Nobodys should be able to ftp to it without the passwords anyway, right?

Link to comment
Share on other sites

I have an SSL certificate installed, so when the customer log on, http:// will change to https:// and my page has the lock symbol. but if I go http://.. /catalog/admin, it stays as http:// with the following warning in the Admin index page:

 

"You are not protected by a secure SSL connection."

 

Only if I use https://../catalog/admin, then see massage saying:

 

"You are protected by a 128-bit secure SSL connection." with the lock symbol.

 

How can I configure the system to use SSL connection to the Admin index page no matter which method (http:// or https://)? Just like how the catalog pages behave.

 

BTW, the suggested adding the S on this line in the catalog/admin/includes/configure.php did not make this happen

 

define('HTTP_SERVER', 'httpS://myip');

 

 

Thanks.

Link to comment
Share on other sites

can some one give me some advice on securing the admin pages?

 

/admin/index.php

 

???

 

Here is a contribution that works well for securing the order and customers sections of the Admin panel. Won't load down the server by offering ssl for all the stuff you really don't need it for.

 

http://www.oscommerce.com/community/contributions,2274

GEOTEX from Houston, TX

 

(George)

Link to comment
Share on other sites

If you have a full ssl cert installed then you can completely secure the 'admin' area in this way. In admin/includes/configure.php for http_server and http_catalog_server set them to https://www.yourdomain.com or https://yourdomain.com (whichever way the cert was issued). If your server is modern and a Unix or Linux server then you can also drop this piece of code into the .htaccess file in the admin folder:

 

SSLRequireSSL

ErrorDocument 403 https://www.yourdomain.com/admin/

 

Vger

I have an SSL certificate installed, so when the customer log on, http:// will  change to https:// and my page has the lock symbol.  but if I go http://.. /catalog/admin, it stays as http:// with the following warning in the Admin index page:

 

"You are not protected by a secure SSL connection."

 

Only if I use https://../catalog/admin, then see massage saying:

 

"You are protected by a 128-bit secure SSL connection." with the lock symbol.

 

How can I configure the system to use SSL connection to the Admin index page no matter which method (http:// or https://)?  Just like how the catalog pages behave.

 

BTW, the suggested adding the S on this line in the catalog/admin/includes/configure.php did not make this happen

 

define('HTTP_SERVER', 'httpS://myip');

Thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...