Guest Posted May 7, 2003 Share Posted May 7, 2003 I am able to access the admin area via simple http://. While in the admin area, I can view orders and any credit card information stored within an order. This means that the CC information is transmitted across the internet un-encrypted. This poses a security risk and also a legal risk in light of the new California law on data security . I think that the admin area should be accessed via https:. This should probably be made standard but should certainly be made an option. Implementation would require only some simply modifications to the links in the admin pages. Link to comment Share on other sites More sharing options...
Guest Posted May 7, 2003 Share Posted May 7, 2003 Access the admin via HTTPS is very simple to configure in the includes/configure.php. In addition, you should add some kind of passwrod protection via .htaccess or whatever other method you would like. Link to comment Share on other sites More sharing options...
Emmtee Posted May 8, 2003 Share Posted May 8, 2003 maybe i can supply a hint here: if you're using apache with mod_rewrite then you can use it to enforce SSL mode (https) :) here some examples... place inside httpd.conf - in appropriate DEFAULT SERVER or VIRTUAL SERVER section RewriteEngine On RewriteLog "/var/log/httpd_rewrite.log" RewriteRule ^/adm/(.*) https://%{SERVER_NAME}/adm/$1 RewriteRule ^/shop/admin(.*) https://%{SERVER_NAME}/shop/admin$1 RewriteRule ^/([^/]*)/admin(.*) https://%{SERVER_NAME}/$1/admin$2 if you want to passwordprotect that area, then just drop an appropriate .htaccess file inside each admin dir- even authentification will be encrypted then. http://www.oscommerce.com/community/contributions,1762 Link to comment Share on other sites More sharing options...
Emmtee Posted May 8, 2003 Share Posted May 8, 2003 i should mention that you should SSL-Enable the shop in order to generate SSL links... as the current shop generates fully (un) qualified http:// links unless you set it to SSL or patch the SSL/NonSSL protocol prefix away... http://www.oscommerce.com/community/contributions,1762 Link to comment Share on other sites More sharing options...
Marcusantonio Posted May 12, 2003 Share Posted May 12, 2003 Where and how can I SSL-Enable the shop? when i type https://my secureserver.com I do recive a security alert notifying me of secure connection. but the secure connection is not activated automatically during checkout. in admin/includes/configure.php and catalog/includes/configure.php I defined: define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost or - https://localhost should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://my domain.com'); define('HTTPS_CATALOG_SERVER', 'https://my SSL url.com'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module Can any one give any suggestions? Hellp Pls. Mark Link to comment Share on other sites More sharing options...
Emmtee Posted May 12, 2003 Share Posted May 12, 2003 Where and how can I SSL-Enable the shop? when i type https://my secureserver.com I do recive a security alert notifying me of secure connection. but the secure connection is not activated automatically during checkout. in admin/includes/configure.php and catalog/includes/configure.php I defined: define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost or - https://localhost should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://my domain.com'); define('HTTPS_CATALOG_SERVER', 'https://my SSL url.com'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module Can any one give any suggestions? Hellp Pls. Mark read this line again: define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost or - https://localhost should not be empty for productive servers ... simply make it https instead of http in admin/includes/configure.php http://www.oscommerce.com/community/contributions,1762 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.