Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin SSL


Pepperfire

Recommended Posts

I seem to have gotten the SSL working on the client side, but it doesn't want to be SSL on the admin side.

 

I can force the admin pages to an SSL state, by manually typing in the https addy, but once I link to any other page in admin, it reverts to an unsecure state.

 

I can't for the life of me figure out why it's doing that.

 

Here is the text from configure.php

 

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright ? 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.pepperfire.ca'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.pepperfire.ca');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/pepperstore/');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '/pepperstore/');

define('DIR_WS_HTTPS_CATALOG', '/pepperstore/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/usr/home/sites/pepperfire/www/pepperstore/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', '******');

define('DB_SERVER_PASSWORD', '*****');

define('DB_DATABASE', 'pepperfire');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

?>

 

And here is the text for the admin configure.php

 

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright ? 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.pepperfire.ca/pepperstore/');

define('HTTPS_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/usr/home/sites/pepperfire/www/pepperstore/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/pepperstore/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/usr/home/sites/pepperfire/www/pepperstore/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/pepperstore/'); // absolute path required

define('DIR_FS_CATALOG', '/usr/home/sites/pepperfire/www/pepperstore/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

// define our database connection

define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', '*****');

define('DB_SERVER_PASSWORD', '*****');

define('DB_DATABASE', 'pepperfire');

define('USE_PCONNECT', 'false'); // use persisstent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

?>

 

 

Am I missing something??? This is making me quite frustrated. :blink:

 

T.

Link to comment
Share on other sites

Provided that you do actually have a full ssl cert installed:

 

define('HTTP_SERVER', 'https://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/');

define('HTTPS_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/');

 

And if you are on an Apache server with either Unix/Linux operating system you can try adding this line to the .htaccess file in your 'admin' folder (may or may not work depending on your server setup):

 

SSLRequireSSL

ErrorDocument 403 https://www.pepperfire.ca/pepperstore/admin/

 

This, if it works for you, will prevent anyone from being able to access 'admin' except via https, and also remove the double login that you'll get by defining the http settings to https (as above).

 

Vger

Link to comment
Share on other sites

Provided that you do actually have a full ssl cert installed:

 

define('HTTP_SERVER', 'https://www.pepperfire.ca'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/');

define('HTTPS_CATALOG_SERVER', 'https://www.pepperfire.ca/pepperstore/');

 

And if you are on an Apache server with either Unix/Linux operating system you can try adding this line to the .htaccess file in your 'admin' folder (may or may not work depending on your server setup):

 

SSLRequireSSL

ErrorDocument 403 https://www.pepperfire.ca/pepperstore/admin/

 

This, if it works for you, will prevent anyone from being able to access 'admin' except via https, and also remove the double login that you'll get by defining the http settings to https (as above).

 

Vger

 

I'm not sure how or where to add the SSLRequireSSL line, or even if that is necessary, but if it makes me more secure, it wouldn't hurt.

 

But in the meantime, my admin side is now SSL and when I navigate to other pages, once logged in SSL, it stays that way. :D

 

Thank you.

Link to comment
Share on other sites

But in the meantime, my admin side is now SSL and when I navigate to other pages, once logged in SSL, it stays that way.  :D

 

Thank you.

 

I've done this (i.e. made it so that all the admin side is SSL) but when I now go back to the non-SSL catalog none of the images I upload for products etc are displayed. I think the SSL admin side of things now uploads the image files to the images directory within the httpsdocs directory (SSL) on the server rather than the httpdocs directory (non-SSL) where they are needed for the non-SSL pages to find them.

 

How do I fix this??

 

Thanks.

Alan.

Link to comment
Share on other sites

How do I fix this??

 

You don't. If your web hosting company uses one of these stupid two-folder systems, one for httpdocs and the other for httpsdocs, then you have to duplicate all changes.

 

Vger

Link to comment
Share on other sites

You don't.  If your web hosting company uses one of these stupid two-folder systems, one for httpdocs and the other for httpsdocs, then you have to duplicate all changes.

 

Vger

 

 

I have done that, but images that I upload via the admin panel of osCommerce are getting placed in the httpsdocs directory and then aren't available to the non-SSL parts of the site.

 

If there isn't a way around it it looks as though I'll have to run the whole of osCommerce from behind the SSL.

 

Al.

Link to comment
Share on other sites

I have done that, but images that I upload via the admin panel of osCommerce are getting placed in the httpsdocs directory and then aren't available to the non-SSL parts of the site.

 

If there isn't a way around it it looks as though I'll have to run the whole of osCommerce from behind the SSL.

 

Al.

 

If you're paying for real estate, I don't see why you wouldn't. It's not like anyone notices SSL unless they're putting personal info into a form.

 

I just finished deleting what must amount to at least a gig of duplicate files that were unnecessary.

 

T.

Link to comment
Share on other sites

I would never even consider buying, or even registering my details, on a website that doesn't use encryption to transmit sensitive information.

 

Even if you use someone else's encrypted payment service, like Pay Pal, what about all of the Create Account details, Login details, My Account access?

 

If you expect someone else to pay you money then the least you can do is to spend a very small amount of money on a full ssl cert.

 

Vger

Link to comment
Share on other sites

I would never even consider buying, or even registering my details, on a website that doesn't use encryption to transmit sensitive information.

 

Even if you use someone else's encrypted payment service, like Pay Pal, what about all of the Create Account details, Login details, My Account access?

 

If you expect someone else to pay you money then the least you can do is to spend a very small amount of money on a full ssl cert.

 

Vger

 

I was suprirsed at how inexpensive the certificate is. No sense not having one.

 

In fact, I recommend that anyone collecting people's personal information, even if they don't take credit cards, have a boo at the Privacy Act of their particular country; not having the certificate could be a legal violation -- and if it isn't, imnho, it ought to be.

 

T

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...