Pepperfire Posted July 28, 2005 Share Posted July 28, 2005 I seem to have gotten the SSL working on the client side, but it doesn't want to be SSL on the admin side. I can force the admin pages to an SSL state, by manually typing in the https addy, but once I link to any other page in admin, it reverts to an unsecure state. I can't for the life of me figure out why it's doing that. Here is the text from configure.php <?php /* osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright ? 2003 osCommerce Released under the GNU General Public License */ // Define the webserver and path parameters // * DIR_FS_* = Filesystem directories (local/physical) // * DIR_WS_* = Webserver directories (virtual/URL) define('HTTP_SERVER', 'http://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.pepperfire.ca'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.pepperfire.ca'); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', '/pepperstore/'); define('HTTPS_COOKIE_PATH', ''); define('DIR_WS_HTTP_CATALOG', '/pepperstore/'); define('DIR_WS_HTTPS_CATALOG', '/pepperstore/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', '/usr/home/sites/pepperfire/www/pepperstore/'); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); // define our database connection define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', '******'); define('DB_SERVER_PASSWORD', '*****'); define('DB_DATABASE', 'pepperfire'); define('USE_PCONNECT', 'false'); // use persistent connections? define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' ?> And here is the text for the admin configure.php <?php /* osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright ? 2003 osCommerce Released under the GNU General Public License */ // Define the webserver and path parameters // * DIR_FS_* = Filesystem directories (local/physical) // * DIR_WS_* = Webserver directories (virtual/URL) define('HTTP_SERVER', 'http://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://www.pepperfire.ca/pepperstore/'); define('HTTPS_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', '/usr/home/sites/pepperfire/www/pepperstore/'); // where the pages are located on the server define('DIR_WS_ADMIN', '/pepperstore/admin/'); // absolute path required define('DIR_FS_ADMIN', '/usr/home/sites/pepperfire/www/pepperstore/admin/'); // absolute pate required define('DIR_WS_CATALOG', '/pepperstore/'); // absolute path required define('DIR_FS_CATALOG', '/usr/home/sites/pepperfire/www/pepperstore/'); // absolute path required define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); // define our database connection define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', '*****'); define('DB_SERVER_PASSWORD', '*****'); define('DB_DATABASE', 'pepperfire'); define('USE_PCONNECT', 'false'); // use persisstent connections? define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' ?> Am I missing something??? This is making me quite frustrated. :blink: T. Link to comment Share on other sites More sharing options...
♥Vger Posted July 28, 2005 Share Posted July 28, 2005 Provided that you do actually have a full ssl cert installed: define('HTTP_SERVER', 'https://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/'); define('HTTPS_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/'); And if you are on an Apache server with either Unix/Linux operating system you can try adding this line to the .htaccess file in your 'admin' folder (may or may not work depending on your server setup): SSLRequireSSL ErrorDocument 403 https://www.pepperfire.ca/pepperstore/admin/ This, if it works for you, will prevent anyone from being able to access 'admin' except via https, and also remove the double login that you'll get by defining the http settings to https (as above). Vger Link to comment Share on other sites More sharing options...
Pepperfire Posted July 29, 2005 Author Share Posted July 29, 2005 Provided that you do actually have a full ssl cert installed: define('HTTP_SERVER', 'https://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/'); define('HTTPS_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/'); And if you are on an Apache server with either Unix/Linux operating system you can try adding this line to the .htaccess file in your 'admin' folder (may or may not work depending on your server setup): SSLRequireSSL ErrorDocument 403 https://www.pepperfire.ca/pepperstore/admin/ This, if it works for you, will prevent anyone from being able to access 'admin' except via https, and also remove the double login that you'll get by defining the http settings to https (as above). Vger <{POST_SNAPBACK}> I'm not sure how or where to add the SSLRequireSSL line, or even if that is necessary, but if it makes me more secure, it wouldn't hurt. But in the meantime, my admin side is now SSL and when I navigate to other pages, once logged in SSL, it stays that way. :D Thank you. Link to comment Share on other sites More sharing options...
justal Posted July 29, 2005 Share Posted July 29, 2005 But in the meantime, my admin side is now SSL and when I navigate to other pages, once logged in SSL, it stays that way. :D Thank you. <{POST_SNAPBACK}> I've done this (i.e. made it so that all the admin side is SSL) but when I now go back to the non-SSL catalog none of the images I upload for products etc are displayed. I think the SSL admin side of things now uploads the image files to the images directory within the httpsdocs directory (SSL) on the server rather than the httpdocs directory (non-SSL) where they are needed for the non-SSL pages to find them. How do I fix this?? Thanks. Alan. Link to comment Share on other sites More sharing options...
♥Vger Posted July 29, 2005 Share Posted July 29, 2005 How do I fix this?? You don't. If your web hosting company uses one of these stupid two-folder systems, one for httpdocs and the other for httpsdocs, then you have to duplicate all changes. Vger Link to comment Share on other sites More sharing options...
justal Posted July 29, 2005 Share Posted July 29, 2005 You don't. If your web hosting company uses one of these stupid two-folder systems, one for httpdocs and the other for httpsdocs, then you have to duplicate all changes. Vger <{POST_SNAPBACK}> I have done that, but images that I upload via the admin panel of osCommerce are getting placed in the httpsdocs directory and then aren't available to the non-SSL parts of the site. If there isn't a way around it it looks as though I'll have to run the whole of osCommerce from behind the SSL. Al. Link to comment Share on other sites More sharing options...
Pepperfire Posted July 29, 2005 Author Share Posted July 29, 2005 I have done that, but images that I upload via the admin panel of osCommerce are getting placed in the httpsdocs directory and then aren't available to the non-SSL parts of the site. If there isn't a way around it it looks as though I'll have to run the whole of osCommerce from behind the SSL. Al. <{POST_SNAPBACK}> If you're paying for real estate, I don't see why you wouldn't. It's not like anyone notices SSL unless they're putting personal info into a form. I just finished deleting what must amount to at least a gig of duplicate files that were unnecessary. T. Link to comment Share on other sites More sharing options...
♥Vger Posted July 29, 2005 Share Posted July 29, 2005 I would never even consider buying, or even registering my details, on a website that doesn't use encryption to transmit sensitive information. Even if you use someone else's encrypted payment service, like Pay Pal, what about all of the Create Account details, Login details, My Account access? If you expect someone else to pay you money then the least you can do is to spend a very small amount of money on a full ssl cert. Vger Link to comment Share on other sites More sharing options...
Pepperfire Posted July 29, 2005 Author Share Posted July 29, 2005 I would never even consider buying, or even registering my details, on a website that doesn't use encryption to transmit sensitive information. Even if you use someone else's encrypted payment service, like Pay Pal, what about all of the Create Account details, Login details, My Account access? If you expect someone else to pay you money then the least you can do is to spend a very small amount of money on a full ssl cert. Vger <{POST_SNAPBACK}> I was suprirsed at how inexpensive the certificate is. No sense not having one. In fact, I recommend that anyone collecting people's personal information, even if they don't take credit cards, have a boo at the Privacy Act of their particular country; not having the certificate could be a legal violation -- and if it isn't, imnho, it ought to be. T Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.