Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Force SSL on login.php, create_account.php & any page via .htaccess


dr_lucas

Recommended Posts

I was browsing a few threads here today, all said it's not possible to force SSL on specific page via .htaccess

Was trying to respond, but unfortunately the topic are archived and no longer accept responses (why archived? even a topic from 2011!?)

Anyway, it is possible to do that via .htaccess, just add these lines to the very bottom of your catalog/.htaccess and always be sure to leave at least 1 blank line at the end of the .htaccess file:

 

# Force SSL on specific pages
<IfModule mod_rewrite.c>
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/(login\.php|create_account\.php|checkout_shipping\.php|checkout_payment\.php|checkout_confirmation\.php)
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [L]
</IfModule>

Link to comment
Share on other sites

I thought that a correctly set up oscommerce cart used https on those pages if you had a ssl certificate and set up both of the configure files correctly. May be I was wrong and this is needed, but I don't think I am.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

While this may be the case, many stores are configured differently, have templates with hard coded http (instead of https) links, etc.

Also some people, for any reason, may try to or be able to manually remove the https from the URL and connect to certain pages via http instead.

Using this method, you ensure that this will no longer be possible. Besides, the code is easily modifiable to include or exclude from forcing-SSL any page the store admin wants by changing:

 

RewriteCond %{REQUEST_URI} ^/(login\.php|create_account\.php|checkout_shipping\.php|checkout_payment\.php|checkout_confirmation\.php)

For example, to

RewriteCond %{REQUEST_URI} ^/(advanced_search_results\.php) # Will force SSL on advanced_search.results.php

Link to comment
Share on other sites

It is possible to force SSL on all pages (which would be best) just configure it in your configure.php files

 

includes/configure.php

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTPS_SERVER', 'https://yoursite.com');
define('ENABLE_SSL', true);

 

admin/includes/configure.php

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTP_CATALOG_SERVER', 'https://yoursite.com');
define('HTTPS_CATALOG_SERVER', 'https://yoursite.com');
define('ENABLE_SSL_CATALOG', true);

 

The important part of this code is the 'https://yoursite.com' for HTTP_SERVER not just the HTTPS_SERVER. This forces HTTPS even when the user types in a plan http address or the link is hard coded.

Link to comment
Share on other sites

@@14steve14 This fix has been around for a while. It is considered a security error because the url will work in non-ssl mode, which means the data entered would not be encrypted. I don't think anyone would deliberately change the url but purchased templates are notorious for adding links to those pages that do not use ssl.

 

@T. Thomas That will work but is a bad idea. The reasons have been stated a number of times in various threads here on the forums if you want to look those up.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...