Ensuring SSL only access to the cart

[feef]

I've installed an SSL cert, reconfigured the site to use SSL and https access works when clicking thru the payment process.

However, if you remove the "s" form https when in the cart (or enter the cart URL manually over http) and load the page that way, you are still able to see, and submit card and personal data over http.

Is there a way of ensuring ALL access to the pages index.php?main_page=checkout_[XXX] are redirected to their SSL conterparts?

Thanks

a

[Kim]

However, if you remove the "s" form https when in the cart (or enter the cart URL manually over http) and load the page that way, you are still able to see, and submit card and personal data over http

Not exactly - All of the form information is still sent via https as long as your cart and certificate are configured correctly.

[feef]

Not exactly - All of the form information is still sent via https as long as your cart and certificate are configured correctly.

I recognise that, but I'd rather have it so that any page where you're entering creditcard numbers has been served over SSL.

I've worked it out using mod_rewrite in a .htaccess file.

Code:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^main_page=checkout_(.*)$
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://%{server_name}/$1 [R]

i.e.
Turn on the rewrite ening
Match cases where the query string has checkout_[foo] (where foo could be "confirmation", "shipping" or "payment")
Then check if you're not using port 443
and if not then rewrite to https://