Admin - if SSL enabled, should every Admin page be in SSL?

[kamion]

Hi there,

I've recently enabled SSL on my site.

It works as it should on the catalog side with only user data entry pages in HTTPS.

On the admin side, the log in page and the first page after logging in is in HTTPS. If I click on any other subsequent links in the admin, it goes back to unsecured HTTP only.

I thought all of Admin side would be in HTTPS after SSL is enabled?

Thanks.

Regards,
Kamion

[DrByte]

The FAQ article, which explains how to enable SSL on your site, contains a note about what to do if you want your entire Admin to be delivered over SSL:
http://www.zen-cart.com/content.php?...alled-zen-cart

ADMIN SECURITY NOTE: In Zen Cart v1.x, if you want to secure all your ADMIN pages with SSL, set the HTTP_SERVER in your "/admin/includes/configure.php" to the same working URL as your HTTPS_SERVER setting. (You will then have both an HTTP_SERVER and HTTPS_SERVER defined to the same value.)

[kamion]

Thanks, DrByte. Though I was following the FAQ when I was enabling SSL, I missed that note some how. Oops.

[billygwo]

Thanks, DrByte. Though I was following the FAQ when I was enabling SSL, I missed that note some how. Oops.

Can I set define('HTTP_SERVER', 'www.mysite.com'); instead of: define('HTTP_SERVER', 'http://www.mysite.com');
Can someone confirm it?

[RodG]

Can I set define('HTTP_SERVER', 'www.mysite.com'); instead of: define('HTTP_SERVER', 'http://www.mysite.com');
Can someone confirm it?

It's best not to. The http/https is what tells the server the protocol to use.

What problem are you trying to solve?

Cheers
Rod

[DrByte]

Can I set define('HTTP_SERVER', 'www.mysite.com'); instead of: define('HTTP_SERVER', 'http://www.mysite.com');
Can someone confirm it?

Definitely not. You MUST specify the protocol. Otherwise you will have broken links all over your sites.

[voluntaryist.only]

Hi,
running 1.3.9H trying to get pci-dss compliant, have checked the detail in :
ADMIN SECURITY NOTE: In Zen Cart v1.x, if you want to secure all your ADMIN pages with SSL, set the HTTP_SERVER in your "/admin/includes/configure.php" to the same working URL as your HTTPS_SERVER setting. (You will then have both an HTTP_SERVER and HTTPS_SERVER defined to the same value.) (Also, if your DIR_WS_ADMIN looks something like '/adminfoldername/' and doesn't have references to $p1 or any other $ variables in it, then do the same with DIR_WS_ADMIN to make it match DIR_WS_HTTPS_ADMIN.) THIS IS REQUIRED FOR PCI COMPLIANCE, and will happen automatically with new installations of v1.5.x and newer. but I am still getting most of the admin side pages falling out of the https

admin login page ok, admin page ok, but everything else not, any ideas please?

thanks in advance.

regards,

ed

[kobra]

voluntaryist,

Post your admin configure.php file contents here
mask db details

[voluntaryist.only]

Hi Kobra,
thanks for offering to take a look ;-)

here is the complete file content (i have masked the necessary detail as per your advice)
<?php
//
/**
*
* @package Configuration Settings
* @copyright Copyright 2003-2006 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* Created by JSweb Zen Auto install script
*/

// Define the webserver and path parameters
// Main webserver: eg, http://localhost - should not be empty for productive servers
// HTTP_SERVER is your Main webserver: eg, http://www.yourdomain.com
// HTTPS_SERVER is your Secure webserver: eg, https://www.yourdomain.com
// HTTP_CATALOG_SERVER is your Main webserver: eg, http://www.yourdomain.com
// HTTPS_CATALOG_SERVER is your Secure webserver: eg, https://www.yourdomain.com
/*
* URLs for your site will be built via:
* HTTP_SERVER plus DIR_WS_ADMIN or
* HTTPS_SERVER plus DIR_WS_HTTPS_ADMIN or
* HTTP_SERVER plus DIR_WS_CATALOG or
* HTTPS_SERVER plus DIR_WS_HTTPS_CATALOG
* ...depending on your system configuration settings
*/
define('HTTP_SERVER', 'http://www.mywebsite.co.uk');
define('HTTPS_SERVER', 'https://www.mywebsite.co.uk');
define('HTTP_CATALOG_SERVER', 'http://www.mywebsite.co.uk');
define('HTTPS_CATALOG_SERVER', 'https://www.mywebsite.co.uk');

// Use secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'true');
define('ENABLE_SSL_ADMIN', 'true');

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
// these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
define('DIR_WS_ADMIN', '/123456/');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_ADMIN', '/123456/');
define('DIR_WS_HTTPS_CATALOG', '/');

define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_CATALOG_IMAGES', HTTP_CATALOG_SERVER . DIR_WS_CATALOG . 'images/');
define('DIR_WS_CATALOG_TEMPLATE', HTTP_CATALOG_SERVER . DIR_WS_CATALOG . 'includes/templates/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_CATALOG_LANGUAGES', HTTP_CATALOG_SERVER . DIR_WS_CATALOG . 'includes/languages/');

// * DIR_FS_* = Filesystem directories (local/physical)
//the following path is a COMPLETE path to your Zen Cart files. eg: /var/www/vhost/accountname/public_html/store/
define('DIR_FS_ADMIN', '/hsphere/local/home/mywebsite/mywebsite.co.uk/123456/');
define('DIR_FS_CATALOG', '/hsphere/local/home/mywebsite/mywebsite.co.uk/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
define('DIR_FS_CATALOG_TEMPLATES', DIR_FS_CATALOG . 'includes/templates/');
define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
define('DIR_FS_EMAIL_TEMPLATES', DIR_FS_CATALOG . 'email/');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

// define our database connection
define('DB_TYPE', 'mysql');
define('DB_PREFIX', 'zen_');
define('DB_SERVER', 'mysql.maskedlocation.co.uk'); // eg, localhost - should not be empty
define('DB_SERVER_USERNAME', 'masked_username');
define('DB_SERVER_PASSWORD', '**********');
define('DB_DATABASE', 'masked_database_name');
define('USE_PCONNECT', 'false'); // use persistent connections?
define('STORE_SESSIONS', 'db'); // leave empty '' for default handler or set to 'db'

// The next 2 'defines' are for SQL cache support.
// For SQL_CACHE_METHOD, you can select from: none, database, or file
// If you choose 'file', then you need to set the DIR_FS_SQL_CACHE to a directory where your apache
// or webserver user has write privileges (chmod 666 or 777). We recommend using the 'cache' folder inside the Zen Cart folder
// ie: /path/to/your/webspace/public_html/zen/cache -- leave no trailing slash
define('SQL_CACHE_METHOD', 'none');
define('DIR_FS_SQL_CACHE', '/hsphere/local/home/mywebsite/mywebsite.co.uk/cache');
//eof

my thanks in advance ;-)

regards,

ed

[DrByte]

Hi,
running 1.3.9H trying to get pci-dss compliant, have checked the detail in :
ADMIN SECURITY NOTE: In Zen Cart v1.x, if you want to secure all your ADMIN pages with SSL, set the HTTP_SERVER in your "/admin/includes/configure.php" to the same working URL as your HTTPS_SERVER setting. (You will then have both an HTTP_SERVER and HTTPS_SERVER defined to the same value.) (Also, if your DIR_WS_ADMIN looks something like '/adminfoldername/' and doesn't have references to $p1 or any other $ variables in it, then do the same with DIR_WS_ADMIN to make it match DIR_WS_HTTPS_ADMIN.) THIS IS REQUIRED FOR PCI COMPLIANCE, and will happen automatically with new installations of v1.5.x and newer. but I am still getting most of the admin side pages falling out of the https

admin login page ok, admin page ok, but everything else not, any ideas please?

thanks in advance.

regards,

ed

define('HTTP_SERVER', 'http://www.mywebsite.co.uk');

But, contrary to the instructions you quoted, you've not changed the HTTP_SERVER URL to be https://www.mywebsite.co.uk the way the HTTPS_SERVER URL is.

How would you suggest the FAQ wording be changed to make it more clear?