Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure admin with SSL?


peego

Recommended Posts

Hi,

 

I have my SSL set up and working properly. its already protected by htaccess.

 

I would also like to secure the admin section with SSL since it does store CC#'s. I can change the URL from http://xxx.com/admin to:

 

https://xxx.com/admin

 

but all the links in the admin section are still just http.

 

is there a way that all the links in admin section can be https?

 

thanks.

Link to comment
Share on other sites

make sure your admin/includes/configure.php has the following set:

 

define('HTTP_CATALOG_SERVER', 'https://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

Link to comment
Share on other sites

No, that's not correct at all! Those three defines are for the catalog and you don't want HTTP_CATALOG_SERVER to be your https URL.

 

What you want instead is to define HTTP_SERVER in admin/includes/configure.php to be your https URL. You should also open the admin panel using an https URL.

Link to comment
Share on other sites

This requires two simple changes. The first one in admin/includes/configure.php, set the HTTP_SERVER define to be your https URL. This will make all the links within admin secure.

 

Example:

  define('HTTP_SERVER', 'https://www.stickyweb.biz'); // eg, http://localhost - should not be empty for productive servers

 

 

Second, in admin/index.php, add the following just after the require of application_top.php:

 

if ($_SERVER['HTTPS'] != "on" && substr(HTTP_SERVER, 0, 5) == 'https')  {
 header("Location: ".tep_href_link(FILENAME_DEFAULT));
}

 

This will make sure you start out with a secure link as well.

 

These instructions work, and work well. Cerberus had the right idea, just the wrong file.

 

Dan

Dan Stevens

Link to comment
Share on other sites

  • 7 months later...

Work like a charm. Fantastic and simple to modify. I have seen a lot of posting regarding about securing admin but this is the simplest and correct method. Even if you key in http, after password prompt, it will bring you directly to https.

 

Thanks alot for the tips.

Regards,

Kevin

Link to comment
Share on other sites

Thank you!!

 

You gave me the quickest solution going. The support dudes on my host couldn't tell me how to do this without messing with the rest of the website! 

Cheyun

 

 

Hi,

 

may I ask if your host offers SSL or if not where you got it and for how much?

 

thanks

Monika

:-)

Monika

 

addicted to writing code ... can't get enough of databases either, LOL!

 

my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum

 

Interactive Media Award July 2007 ~ category E-Commerce

my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ...

Link to comment
Share on other sites

  • 1 month later...
This requires two simple changes. The first one in admin/includes/configure.php, set the HTTP_SERVER define to be your https URL. This will make all the links within admin secure.

 

Example:

  define('HTTP_SERVER', 'https://www.stickyweb.biz'); // eg, http://localhost - should not be empty for productive servers

Second, in admin/index.php, add the following just after the require of application_top.php:

 

if ($_SERVER['HTTPS'] != "on" && substr(HTTP_SERVER, 0, 5) == 'https')  {
 header("Location: ".tep_href_link(FILENAME_DEFAULT));
}

 

This will make sure you start out with a secure link as well.

 

These instructions work, and work well.  Cerberus had the right idea, just the wrong file.

 

Dan

 

I tried this and it works partly in SSL mode. But I have the following problems (I am sure it is related to some screwed up config settings by following ll kinds of posings in this matter, very confusing for a newbie like me):

 

1. with the change in admin/index.php I get the following message:

"Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked". So I commented this change out.

 

2. I made this change in admin/includes/configure.php:

define('HTTP_SERVER', 'https://ssl.perfora.net/gobosource.com');

 

and it works in SSL mode but somehow several links are not working in partcular links related to contributions, such as downloading QBI iif files or adding products to an order within order administration with the order edit contribution. See details in the config file below where I played with the "DIR_WS_CATALOG" settings, without knowing if this is the right place to tweak.

 

when I switch back to the old settings

"define('HTTP_SERVER', 'http://www.gobosource.com')"

it seems to be working fine.

 

maybe we should rename "configure.php" to "go_figure.php" for users like me. :blush:

 

more:

I applied a change somewhere in a php file in order to get the padlocks to show when ssl is active would have to search for the details.

 

Server root is:

_SERVER["DOCUMENT_ROOT"] /homepages/xx/xxxxxxxxx/htdocs/gobosource

 

 

Questions:

 

1. How to change my config in order to get the links to work?

 

2. Cookies:

Shall I define a cookie path or not, for a shared certificate. I see confusing postings.

My server info tells me:

session.cookie_path /shop/catalog/admin/

 

3. Any other configration related hints?

 

Here my config files. I am posting both, so hopefully somebody who knows what they are doing (unlike me) can give me some hints.

 

Your help is greatly appreciated.

 

Uli

 

 

 

/admin/includes/configure.php

 

 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'https://ssl.perfora.net/gobosource.com'); // eg, http://localhost - should not be empty for productive servers

// Switches admin back to non SSL mode

// define('HTTP_SERVER', 'http://www.gobosource.com');

define('HTTP_CATALOG_SERVER', 'http://www.gobosource.com');

define('HTTPS_CATALOG_SERVER', 'https://ssl.perfora.net/gobosource.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/homepages/46/d90146093/htdocs/gobosource'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/shop/catalog/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/homepages/46/d90146093/htdocs/gobosource/shop/catalog/admin/'); // absolute pate required

 

// with this setting, i.e the link for adding a product in order editor generates this link

// https://ssl.perfora.net/shop/catalog/admin/..._product&step=1

// instead it should say:

//https://ssl.perfora.net/gobosource.com/shop/catalog/admin/edit_orders.php?oID=11059&action=add_product&step=1

define('DIR_WS_CATALOG', '/shop/catalog/'); // absolute path required

 

// with this setting the above link for the order editor works but i.e. links in order confirmation emails have "gobosource.com" twice

// https://ssl.perfora.net/gobosource.com/gobo...?order_id=11059

// define('DIR_WS_CATALOG', '/gobosource.com/shop/catalog/'); // absolute path required

 

define('DIR_FS_CATALOG', '/homepages/xx/xxxxxxxx/htdocs/gobosource/shop/catalog/'); // absolute path required

 

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

// define our database connection

define('DB_SERVER', 'db146.perfora.net'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'xxxxxxxxxxxx');

define('DB_SERVER_PASSWORD', 'xxxxxxxxxxx');

define('DB_DATABASE', 'xxxxxxxxxxxxx');

define('USE_PCONNECT', 'false'); // use persisstent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

// iii 030813 added: Option Type Feature and File Uploading

define('PRODUCTS_OPTIONS_TYPE_SELECT', 0);

define('PRODUCTS_OPTIONS_TYPE_TEXT', 1);

define('PRODUCTS_OPTIONS_TYPE_RADIO', 2);

define('PRODUCTS_OPTIONS_TYPE_CHECKBOX', 3);

define('PRODUCTS_OPTIONS_TYPE_FILE', 4);

define('PRODUCTS_OPTIONS_VALUE_TEXT_ID', 0); //Must match id for user defined "Text" value in db table TABLE_PRODUCTS_OPTIONS_VALUES

 

// for upload links

// define('DIR_WS_CATALOG_IMAGES_UPLOADS', DIR_WS_CATALOG_IMAGES . 'uploads/');

define('DIR_WS_CATALOG_IMAGES_UPLOADS', HTTP_CATALOG_SERVER . '/shop/catalog/images/uploads/');

define('DIR_FS_CATALOG_IMAGES_UPLOADS', DIR_FS_CATALOG_IMAGES . 'uploads/');

?>

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

 

 

catalog/includes/configure.php

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.gobosource.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://ssl.perfora.net/gobosource.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.gobosource.com');

define('HTTPS_COOKIE_DOMAIN', '');

// define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/gobosource.com');

define('HTTP_COOKIE_PATH', '/shop/catalog/');

define('HTTPS_COOKIE_PATH', '');

// define('HTTPS_COOKIE_PATH', '/shop/catalog/');

define('DIR_WS_HTTP_CATALOG', '/shop/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/shop/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/homepages/xx/xxxxxxx/htdocs/gobosource/shop/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// file upload changes

define('DIR_WS_UPLOADS', DIR_WS_IMAGES . 'uploads/');

define('DIR_FS_UPLOADS', DIR_FS_CATALOG . DIR_WS_UPLOADS);

 

// define our database connection

define('DB_SERVER', 'xxxxxx.perfora.net'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'xxxxxxx');

define('DB_SERVER_PASSWORD', 'xxxxxxxxxxx');

define('DB_DATABASE', 'xxxxxxxxxx');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

// CLR 020605 defines needed for Product Option Type feature.

define('PRODUCTS_OPTIONS_TYPE_SELECT', 0);

define('PRODUCTS_OPTIONS_TYPE_TEXT', 1);

define('PRODUCTS_OPTIONS_TYPE_RADIO', 2);

define('PRODUCTS_OPTIONS_TYPE_CHECKBOX', 3);

 

// iii 030813 added: File Uploading: FILE type and UPLOAD_PREFIX

define('PRODUCTS_OPTIONS_TYPE_FILE', 4);

define('UPLOAD_PREFIX', 'upload_');

define('TEXT_PREFIX', 'txt_');

define('PRODUCTS_OPTIONS_VALUE_TEXT_ID', 0); //Must match id for user defined "Text" value in db table TABLE_PRODUCTS_OPTIONS_VALUES

 

define('DIR_WS_UPLOADS', DIR_WS_IMAGES . 'uploads/');

define('DIR_FS_UPLOADS', DIR_FS_CATALOG . DIR_WS_UPLOADS);

?>

 

>>>>>>>>>>>>>>>>>>>>>>>>>>

 

Thanks

Uli

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...