Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to force SSL in the Admin control Panel?


dailce

Recommended Posts

Ok My site works great and my SSL works great.

 

But...

 

I can still go to i.e. "http://www.mysite.com/admin" this brings me to the control panel and it's not secure, but if I click on a link it goes into SSL mode and works fine, and if I click the administration link a seond time, say after I look at an order, I can go back to the main control panel and it shows the padlock and is in SSL.

 

How can I force the SSL to prevent people from going to "HTTP://www.mysite.com/admin"?

 

If someone goes to "HTTP://www.mysite.com/admin", then is there a way to force the site into "HTTPS://www.mysite.com/admin"

 

I know I can use the following Apache code in my htaccess file:

 

<IfModule mod_ssl.c>
# if the server is able to use SSL, require its use
SSLRequireSSL
</IfModule>

 

but is there a better way?

 

Thanks.

Link to comment
Share on other sites

Yeah I know that but I know sometimes when I access it I forget to put the HTTPS, I want to be safe and force the HTTPS if I go to it by accident by typing HTTP.

 

Will using the Apache code above be fine?

Link to comment
Share on other sites

I think I know what Mike is actually getting at. Provided that your server software is sufficiently up to date and 'nix based you can use this in a .htaccess file in your 'admin' folder. I use it for all of my sites:

 

SSLRequireSSL

ErrorDocument 403 https://www.yourdomain.com/admin/

 

This also gets around the problem of sometimes having to login twice if all http and https pathways in admin/includes/configure.php are set to https - once when you reach the landing page, and again when you click on one of the links on the landing page.

 

Vger

Link to comment
Share on other sites

I've decided to stick with the rwuireSSL in the htaccess file.

 

I know it's overkill, but at least attempts to get the Admin panel with out the https will bring me or whoever to an error page.

 

THanks guys

Link to comment
Share on other sites

The code I posted won't take people trying to access 'admin' via http to an error page, but will simply force access to the https route e.g. no one will be able to access admin via an http connection. I don't think that's overkill at all - a wise precaution in my view.

 

Vger

Link to comment
Share on other sites

  • 1 year later...

This method will keep the whole path and any arguments. It just changes http:// to https://

 

For example, http://www.mydomain.com/catalog/admin/conf...ation.php?gID=4

becomes https://www.mydomain.com/catalog/admin/conf...ation.php?gID=4

 

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$ https://www.mydomain.com/catalog/admin/$1 [R,L]

Link to comment
Share on other sites

  • 1 year later...
The only people that should be using Admin are people with the right to do so (i.e not the general public), and they should be using an https:// link to access it.
Your problem is silly. Just don't forget to put the https.

 

Sorry for resurrecting a dead topic here but I just had to add this when I found the page at the top of google.

 

There are many very valid reasons for wanting the admin page to automatically redirect to https and actually work. Unfortunately with apache2 it seems none of these methods here work anymore, nor does using RewriteCond %{HTTPS} !=on .. The links all redirect to https, yes but the admin login page tells you invalid admin login when you try it this way. That may be a bug, I am not sure. Anyways, more to the point, the way that the internet works and the whole reason for SSL being invented was because of the possibility of someone getting between the server and a visitor, or the site admin, and sniffing packets to obtain passwords or other confidential information. Just because a customer shouldn't be using the admin page is not a reason to not secure it _in the code_ ..

 

I'll give an example here:

 

Joe Hacker wants to steal credit cards from majorshoppingsite.com and knows that the hard way would be to brute force passwords. He also knows how to get in the middle and sniff packets but knows that the shopping cart is SSL encrypted. So because of what I consider to be tunnel vision on the software author's part, he also knows that the admin login page is unencrypted on most installs of the software that majorshoppingsite.com uses. So he sets up a man in the middle attack and starts sniffing all unencrypted packets. Pretty soon after, the site admin goes and logs into his site as normal. Boom, Joe Hacker has just obtained login credentials for the site. Even if there is scrambling of the password instead of sending it in plaintext, it's most likely still not going to be all that difficult to crack. So then he logs in, sure he can't see credit card info because he's only in the shopping cart, but if he has one password he can get others. He also has the IP address of the site admin, meaning that if he sets up a man in the middle attack at the admin's end instead of the server end, he can then get passwords to other accounts, such as email, etc.

 

Site admin uses different passwords, but like most people, he has a theme. He varies on one particular thing, a kid's birthday, tossing random numbers into his wife's maiden name, etc. Eventually the site admin goes and logs into his authorize.net account, and while I haven't checked this first hand, lets just say for argument's sake, that authorize.net doesn't encrypt their admin login pages.. He's now gotten access to the guy's auth.net account and all of the finances of the business..

 

I'm sure you can take it from here and go a million different directions, but the point is that the admin login page needs to use https in the code just like every other login page, not some rewriterule in .htaccess that may get outdated with a future version of apache.

Link to comment
Share on other sites

  • 9 months later...

Try this, I placed it as an include then include it as required_once(DIR_WS_INCLUDES.'sslstate.php); in the headers.

 

<?php
// CHECKS SSL STATUS
// SET SSL DOMAIN
$sslsite = "https://secure.yoursite.com";  // change to your https url

if ($_SERVER["HTTPS"] != "on")
// REDIRECT TO SECURE PAGE
{
header("Location:" . $sslsite . $_SERVER["PHP_SELF"]);
}
?>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...