Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

No SSL in admin panel

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

I have set up my site completely, including the SSL for the shopping cart. I get the lock for the shopping cart during the checkout process. When I am in the admin panel, I get the message in the bottom left hand corner that says "You are not protected by a secure SSL connection." Does this mean that the store is not really secure, or there may be a setting I am missing? I am using 2.2 Milestone 2 on a shared SSL server. Any help would be appreciated.

 

Thanks,

Chad

Jack_mcs

Jack_mcs

Posted
Posted

You have to enable ssl for admin he same way you did for the shop, by changing the configure file for admin. However, it is not necessary and will slow admin down even more. The admin section is already secured by it's secure connection to the database so, in my opinion, you should not enable it.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

AlanR

AlanR

Posted
Posted
You have to enable ssl for admin he same way you did for the shop, by changing the configure file for admin. However, it is not necessary and will slow admin down even more. The admin section is already secured by it's secure connection to the database so, in my opinion, you should not enable it.

 

Jack

I agree. I think most people obsess about running admin under ssl simply because of that silly little padlock image. All it does is slow your everyday product management.

 

If you wish there's a very nice little contribution which enables ssl for only orders and customer info.

 

"EZ" Secure Order & Customer Viewing for osCommerce Admin

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Guest

Guest

Posted
Posted

Ok I have checked the catalog/admin/includes/configure.php and the catalog/includes/configure.php and they both have the the SSL connections set to True.

 

This is the admin/includes/configure.php:

 

define('HTTP_SERVER', 'http://mysite.com'); // eg, [url=http://localhost]http://localhost[/url] - should not be empty for productive servers
 define('HTTP_CATALOG_SERVER', 'http://mysite.com');
 define('HTTPS_CATALOG_SERVER', 'https://mysite.com');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', '/home/content/j/p/i/me/html/catalog/'); // where the pages are located on the server
 define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required
 define('DIR_FS_ADMIN', '/home/content/j/p/i/me/html/catalog/admin/'); // absolute pate required

 

As you can see the ENABLE_SSL_CATALOG is set to true, but I still have no SSL in my admin panel. I have taken your comments into consideration and have not decided whether I will keep the SSL in the admin panel (if I get it to work). I think I will have to see how much it really compromises the performance of the admin panel. Thanks for the help guys.

 

Chad

dakromz

dakromz

Posted
Posted
The admin section is already secured by it's secure connection to the database

Jack

 

Hi, can you expand on this, i am trying to make my admin section secure as at the moment there is nothing other than knowing where the admin.php file is and running it to access the admin sections its self.

Jack_mcs

Jack_mcs

Posted
Posted

The word "secure" can be misleading. For admin, there should be password protection so that not just anyone can enter. That will make the admin section secure. But you were asking about an ssl. The "secure" associated with an ssl means that when your data is transmitted over the Internet, it is encrypted so that no one along the way can read it. Since the information in admin is connect to the database directly, there is no chance of anyone reading the information so applying ssl to it is meaningless. The only excpetion to that is if you download your backups to your computer instead of to the server. Then that data becomes unsecured.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

lech

lech

Posted
Posted

Welcome to the page of miss-information.

 

Using standard HTTP authentication, every request you make to admin includes your password in a digest form (usually md5). All this means is that someone cannot easily know what the password is in plain text, however this information is sufficient for someone listening on your connection to access admin and all the information it holds.

 

Using SSL, which resides between the HTTP and TCP/IP layer, the client and server perform a "hand-shake" using public-key cryptography in order to exchange symetric keys generated for the session. The request along with the hashed password is then encrypted using the clients symmetric key, which only the server and client know. So anyone intercepting the encrypted password (lost in the encrypted request) could not use it because he or she could not tell the server in what language (with what key) it is written in.

 

Going back to admin's configuration. The ENABLE_SSL_CATALOG constant is a mystery. Going by the comment that immediately follows it, it seems to be intended for a module which I don't think is included.

 

The solution is to set HTTP_SERVER to use https.

 

All the best

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...