Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Oscommerce setting to SSL Certificates from http to https


Recommended Posts

Conclusion to setting SSL Certificates in oscommerce v2.3.3.1

Most copy from others and I keep on try and error to test. Feel free to correct .


1.    You need to set a Certificates some hosting provide free cert. ( in cPanel , icon “SSL Certificates”, one need to make sure to check if there is "Force SSL with https redirect” is checked. )


2.    change in "includes/configuration.php", ( and remember to set the permission back to 444 after modify )

  define('HTTP_SERVER', 'https://www.domain.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://www.domain.com'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', true); 

  define('HTTP_COOKIE_DOMAIN', 'www.domain.com');

  define('HTTPS_COOKIE_DOMAIN', 'www.domain.com');


3.    change in “admin/includes/configuration.php” to :

  define('HTTP_SERVER', 'https://www.domain.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTP_CATALOG_SERVER', 'https://www.domain.com');
  define('HTTPS_CATALOG_SERVER', 'https://www.domain.com');
  define('ENABLE_SSL_CATALOG', 'true'); 


4.    Change inside of the store admin panel go to Configuration ->> Sessions: and change to theses values:


Force Cookie Use      True  

Check SSL Session ID  True  

Check User Agent      True  

Check IP Address      True  

Prevent Spider Sessions      True  

Recreate Session      True  

5.    Change .htaccess:


RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


<IfModule mod_headers.c>

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Header unset X-Powered-By

Header unset Server

Header set X-Content-Type-Options "nosniff"

Header set X-XSS-Protection "1; mode=block"

<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">

    Header unset X-XSS-Protection








Remark :

A.      Here is the what many people find problem



When you go to https site, but the browser will show your site is not secure.




Funny is Microsoft Edge will show secure but NOT for Chrome or Opera.


Most sites do not mention changing in "includes/configuration.php"

define('HTTP_SERVER', 'http://www.domain.com')  “ to  define('HTTP_SERVER', 'https://www.domain.com') 


Some because the site have external insecure http link . (  e.g.  image link to http://xx )

But what I working on is a simply shop. No such error but still have the above ‘your site is not secure.’

This is because inside your page those link still link to insecure http ( e.g. your products link ).  Funny is when you click this product, it will go to a secure https site. But when you copy the link , it shows insecure http.

Thus just simply make all to https .


B.      Or losing the CSS, images and layout ( copy from user gassko )





clear the browser cache.





Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...