Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Help! Keep SSL for all pages?


lifeliberty

Recommended Posts

Greetings,

 

I have Open SSL set up on my site for the catalog homepage... How do I keep the entire users' sessions secure (i.e., how do I change all the links within the catalog from http to https)?

 

Many, many thanks in advance!

Link to comment
Share on other sites

Note: if you do this ... the whole catalog will slow down a considerable amount.

 

Is there a reason you need it all to be SSL?

 

Change the /includes/configure.php to use your secure site for both settings rather than just one setting

Link to comment
Share on other sites

Note: if you do this ... the whole catalog will slow down a considerable amount.

 

Not only your catalog, the complete server as it has to number crunch EVERYTHING, images, pages, the lot. That is an 'expensive' process...

So any other service / site running on that server will be significantly slower (assuming you have some traffic going on on the SSL site)

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Is the current method of changing SSL states secure?

 

When a client logs in, and is then taken from SSL to Non-SSL, are we only in SSL to encrypt the password?

 

If using the AutoLogin contribution, is this any more or less secure? Does it also send it's password through SSL when you return to the site?

 

What about the osc_id? Once you've logged in, and are transferred back to the Non-SSL site, your osc_id would be getting transmitted unecrypted, even with the updated CVS and ForceCookies option, this session information would still be getting passed to the server... is this secure considering the efforts made to remove this information from the address box?

 

Does there need to be an options like.

HTTP - Guests

HTTPS - Secure

HTTPS or HTTP - Logged in Member (Admin option as to which one to use)

 

Cheers,

Tony

"The price of success is perseverance. The price of failure comes much cheaper."

Link to comment
Share on other sites

Is the current method of changing SSL states secure?

You can always put the entire store in ssl-mode. Simply set HTTP_SERVER and HTTPS_SERVER both to the ssl-host (in catalog/includes/configure.php).

 

If using the AutoLogin contribution, is this any more or less secure? Does it also send it's password through SSL when you return to the site?

If ssl is enabled, the autologon contribution will establish a ssl-link for password transfer upon return to the store. Furthermore, the password is md5-encrypted stored on the client and transmitted to the host.

 

HTH

 

M@rcel

Greetings from Marcel

|Current version|Documentation|Contributions|

Link to comment
Share on other sites

Thanks for the AutoLogin info...

 

Is the current method of changing SSL states secure?

You can always put the entire store in ssl-mode. Simply set HTTP_SERVER and HTTPS_SERVER both to the ssl-host (in catalog/includes/configure.php).

 

This is what we're trying to avoid though... since it loads up the server and client resources.

I'm just trying ascertain if the current way of switching between SSL and NON-SSL is secure.

 

Cheers,

Tony

"The price of success is perseverance. The price of failure comes much cheaper."

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...