Force checkout pages to redirect to HTTPS

[jennibr]

Hello there,

On our client's site, the Zen Cart pages switch from HTTP to HTTPS at checkout and back again by default as they should. However, we've noticed that they will still load if the other protocol is typed in manually. It seems particularly alarming that pages that should always be secure will load fine as HTTP. How can we force the pages to redirect to the correct protocol?

Thanks!

[mc12345678]

Hello there,On our client's site, the Zen Cart pages switch from HTTP to HTTPS at checkout and back again by default as they should. However, we've noticed that they will still load if the other protocol is typed in manually. It seems particularly alarming that pages that should always be secure will load fine as HTTP. How can we force the pages to redirect to the correct protocol?Thanks!

Although I wouldn't worry about it (otherwise it wouldn't be allowed), I would say that the htaccess file would be the route to go to prevent the affected pages from being able to be loaded sans https. Need to haveit identify that if not a secure connection, and is any of the pages of concern, then to redirect to the samepagename but on the secure host path. That's my two cents worth.As to thelack of concern, what is really being transferred at that point of changing over, and what shopper is going to manually change to a non-secure mode? Next thing too is that on the next page load it should change back I thought, so what does anyone gain by changing over to a nonsecure version of the page while it is displayed?

[RodG]

Hello there,

On our client's site, the Zen Cart pages switch from HTTP to HTTPS at checkout and back again by default as they should. However, we've noticed that they will still load if the other protocol is typed in manually. It seems particularly alarming that pages that should always be secure will load fine as HTTP. How can we force the pages to redirect to the correct protocol?

Thanks!

As "mc12345678" has stated, I wouldn't worry about this. In fact I'd even go as far to say that you should leave it this way because by forcing the use of SSL you will be denying access to those people that aren't using SSL capable browsers.

The only time that this denial would be considered acceptable is if your site is handling credit cart payments directly (IOW not via a Gateway), and this is due to PCI compliance requirements.

Admittedly, very few people would be using a non-SSL capable browser these days, but their $$$ is just as good as anyone elses :)

Cheers
RodG

[gjh42]

This has been discussed in some detail before, and I recall DrByte stressing that no matter what the page URL says when you are typing the order information, it will always be sent securely. That cannot be affected by someone trying to artificially defeat the HTTPS.

This was in regard to some PCI scan company trying to fail somebody's test for bogus reasons.

[RodG]

I recall DrByte stressing that no matter what the page URL says when you are typing the order information, it will always be sent securely.

http://stackoverflow.com/questions/8...sl-certificate

[jennibr]

OK, gotcha. What y'all have said makes sense. Thanks, everyone! :-)