Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Data security


Guest

Recommended Posts

I am able to access the admin area via simple http://. While in the admin area, I can view orders and any credit card information stored within an order. This means that the CC information is transmitted across the internet un-encrypted. This poses a security risk and also a legal risk in light of the new California law on data security .

 

I think that the admin area should be accessed via https:. This should probably be made standard but should certainly be made an option. Implementation would require only some simply modifications to the links in the admin pages.

Link to comment
Share on other sites

Access the admin via HTTPS is very simple to configure in the includes/configure.php. In addition, you should add some kind of passwrod protection via .htaccess or whatever other method you would like.

Link to comment
Share on other sites

maybe i can supply a hint here:

 

if you're using apache with mod_rewrite then you can use it to enforce SSL mode (https) :)

 

here some examples...

 

place inside httpd.conf - in appropriate DEFAULT SERVER or VIRTUAL SERVER section

RewriteEngine On

RewriteLog "/var/log/httpd_rewrite.log"

RewriteRule ^/adm/(.*)  https://%{SERVER_NAME}/adm/$1

RewriteRule ^/shop/admin(.*)  https://%{SERVER_NAME}/shop/admin$1

RewriteRule ^/([^/]*)/admin(.*)  https://%{SERVER_NAME}/$1/admin$2

 

if you want to passwordprotect that area, then just drop an appropriate .htaccess file inside each admin dir- even authentification will be encrypted then.

Link to comment
Share on other sites

Where and how can I SSL-Enable the shop? when i type https://my secureserver.com I do recive a security alert notifying me of secure connection.

but the secure connection is not activated automatically during checkout.

 

in admin/includes/configure.php and catalog/includes/configure.php I defined:

 

define('HTTP_SERVER', 'http://mydomain.com'); // eg, 

http://localhost or - https://localhost should not be empty for 

productive servers

 define('HTTP_CATALOG_SERVER', 'http://my domain.com');

 define('HTTPS_CATALOG_SERVER', 'https://my SSL url.com');

 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog 

module

 

Can any one give any suggestions? Hellp Pls.

Mark

Link to comment
Share on other sites

Where and how can I SSL-Enable the shop? when i type https://my secureserver.com I do recive a security alert notifying me of secure connection.

but the secure connection is not activated automatically during checkout.

 

in admin/includes/configure.php and catalog/includes/configure.php I defined:

 

define('HTTP_SERVER', 'http://mydomain.com'); // eg, 

http://localhost or - https://localhost should not be empty for 

productive servers

 define('HTTP_CATALOG_SERVER', 'http://my domain.com');

 define('HTTPS_CATALOG_SERVER', 'https://my SSL url.com');

 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog 

module

 

Can any one give any suggestions? Hellp Pls.

Mark

 

read this line again:

define('HTTP_SERVER', 'http://mydomain.com'); // eg,

http://localhost or - https://localhost should not be empty for

productive servers

 

... simply make it https instead of http in admin/includes/configure.php

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...