When Might SSL-Only Access Be Possible ???

[jman]

Am on 1.3.9.h

Hi, I know this has to have been addressed but searching within the forum for "SSL" keeps showing zero entries. Did find one google entry but the answer was ... less than satisfactory. Basically "Doctor it hurts when I do this." "So, don't do that."

SSL is really messed up. If I run a completely SSL site, nothing can be updated in the admin, as some data wants to be transmitted insecurely and this prevents the update from occurring.

Even setting HTTP_SERVER in both configure's to https and setting ENABLE_SSL to true doesn't work. It still goes to http: as default.

And don't try to use any .htaccess code to force SSL, that's when the cart breaks on updating anything in the admin. Though miraculously the store itself seems to function OK.

This is cross-browser.

Any idea how to get a true SSL site to work in the admin? I do NOT want to see http: in the address bar at all. It must be possible as the main store works fine, even when using .htaccess to force SSL for the entire browsing session.

It appears to be using both SSL & non-ssl at the same time, and since I only want SSL the non-secure part is bombing out the whole thing.

Been a while since I've hacked into the core code ... if anyone has an idea where to look I'd be glad to take a gander at it.

Thanks!

[DrByte]

Even setting HTTP_SERVER in both configure's to https and setting ENABLE_SSL to true doesn't work. It still goes to http: as default.

That doesn't make any sense. I use an https address in my admin HTTP_SERVER settings all the time, on multiple sites.

Unless maybe you've got addons or custom code that has hard-coded http URLs into your custom pages somehow, then there's no reason to expect what you're describing.

If you give Zen Cart only an https address in the HTTP_SERVER setting, then it will ONLY operate in https ... because it knows nothing different.

Maybe you've got some weird redirections happening due to .htaccess which are overriding the very simple URL generation that Zen Cart does.
Or addons which break normal functionality.

[RodG]

Any idea how to get a true SSL site to work in the admin?

https://www.zen-cart.com/tutorials/index.php?article=14

I do NOT want to see http: in the address bar at all.

Enabling SSL for the entire site is not a good idea.

It must be possible as the main store works fine, even when using .htaccess to force SSL for the entire browsing session.

Err, you probably shouldn't be doing this, it is sure to cause conflicts with the existing zen code.

Been a while since I've hacked into the core code ... if anyone has an idea where to look I'd be glad to take a gander at it.

As with the .htaccess manipulation, you really shouldn't need to do this. Zencart is quite capable of correctly supporting SSL 'out of the box'. It just needs correct configuration.

Also, as well as searching the forums for answers, you (and many others) really should check out the FAQ's and Tutorials, because more often than not they will answer any questions you have.

It took all of 5 seconds to find the link I just gave.

Cheers
Rod

[jman]

Thanks for the replies, and apologies for any confusion. I sit corrected. ;)

Looks like caching was killing me. Had updated http_server to https://my.store.com and at first it still gave me the non-ssl version. Having cleared the browser cache & restarting, it's now properly serving from https, and the admin update problem is gone.

Curious though, why would using .htaccess to force an SSL redirect break the admin, but not the store?

Take care!

[schoolboy]

The search Engines completely ignore a site that runs on full SSL. If you have any intentions of featuring on Google, Bing, Yahoo, Ask, AOL - even on SERP 1,000,000,000,000,000,000... then configure your site to invoke SSL the way it was designed to do.

Additionally, SSL will SLOW a site down quite a bit...

[DrByte]

Curious though, why would using .htaccess to force an SSL redirect break the admin, but not the store?

Probably because there's a subfolder involved and your rules aren't taking that into account.
Regardless, using .htaccess to force SSL is a bad approach fraught with problems.