Forums / Basic Configuration / When Might SSL-Only Access Be Possible ???

When Might SSL-Only Access Be Possible ???

Locked
Results 1 to 6 of 6
This thread is locked. New replies are disabled.
18 Jul 2011, 12:07
#1
jman avatar

jman

New Zenner

Join Date:
Dec 2004
Posts:
24
Plugin Contributions:
0

When Might SSL-Only Access Be Possible ???

Am on 1.3.9.h

Hi, I know this has to have been addressed but searching within the forum for "SSL" keeps showing zero entries. Did find one google entry but the answer was ... less than satisfactory. Basically "Doctor it hurts when I do this." "So, don't do that."

SSL is really messed up. If I run a completely SSL site, nothing can be updated in the admin, as some data wants to be transmitted insecurely and this prevents the update from occurring.

Even setting HTTP_SERVER in both configure's to https and setting ENABLE_SSL to true doesn't work. It still goes to http: as default.

And don't try to use any .htaccess code to force SSL, that's when the cart breaks on updating anything in the admin. Though miraculously the store itself seems to function OK.

This is cross-browser.

Any idea how to get a true SSL site to work in the admin? I do NOT want to see http: in the address bar at all. It must be possible as the main store works fine, even when using .htaccess to force SSL for the entire browsing session.

It appears to be using both SSL & non-ssl at the same time, and since I only want SSL the non-secure part is bombing out the whole thing.

Been a while since I've hacked into the core code ... if anyone has an idea where to look I'd be glad to take a gander at it.

Thanks!
18 Jul 2011, 12:32
#2
drbyte avatar

drbyte

Sensei

Join Date:
Jan 2004
Posts:
63,506
Plugin Contributions:
173

Re: When Might SSL-Only Access Be Possible ???

jman:

Even setting HTTP_SERVER in both configure's to https and setting ENABLE_SSL to true doesn't work. It still goes to http: as default.

That doesn't make any sense. I use an https address in my admin HTTP_SERVER settings all the time, on multiple sites.

Unless maybe you've got addons or custom code that has hard-coded http URLs into your custom pages somehow, then there's no reason to expect what you're describing.

If you give Zen Cart only an https address in the HTTP_SERVER setting, then it will ONLY operate in https ... because it knows nothing different.

Maybe you've got some weird redirections happening due to .htaccess which are overriding the very simple URL generation that Zen Cart does.
Or addons which break normal functionality.
18 Jul 2011, 12:34
#3
rodg avatar

rodg

Deceased

Join Date:
Jan 2007
Posts:
6,263
Plugin Contributions:
3

Re: When Might SSL-Only Access Be Possible ???

jman:


Any idea how to get a true SSL site to work in the admin?

https://www.zen-cart.com/tutorials/index.php?article=14

jman:


I do NOT want to see http: in the address bar at all.


Enabling SSL for the entire site is not a good idea.

jman:


It must be possible as the main store works fine, even when using .htaccess to force SSL for the entire browsing session.


Err, you probably shouldn't be doing this, it is sure to cause conflicts with the existing zen code.

jman:


Been a while since I've hacked into the core code ... if anyone has an idea where to look I'd be glad to take a gander at it.


As with the .htaccess manipulation, you really shouldn't need to do this. Zencart is quite capable of correctly supporting SSL 'out of the box'. It just needs correct configuration.

Also, as well as searching the forums for answers, you (and many others) really should check out the FAQ's and Tutorials, because more often than not they will answer any questions you have.

It took all of 5 seconds to find the link I just gave.

Cheers
Rod
18 Jul 2011, 15:27
#4
jman avatar

jman

New Zenner

Join Date:
Dec 2004
Posts:
24
Plugin Contributions:
0

Re: When Might SSL-Only Access Be Possible ???

Thanks for the replies, and apologies for any confusion. I sit corrected. ;)

Looks like caching was killing me. Had updated http_server to https://my.store.com and at first it still gave me the non-ssl version. Having cleared the browser cache & restarting, it's now properly serving from https, and the admin update problem is gone.

Curious though, why would using .htaccess to force an SSL redirect break the admin, but not the store?

Take care!
18 Jul 2011, 16:33
#5
schoolboy avatar

schoolboy

Totally Zenned

Join Date:
Jun 2005
Posts:
10,324
Plugin Contributions:
0

Re: When Might SSL-Only Access Be Possible ???

The search Engines completely ignore a site that runs on full SSL. If you have any intentions of featuring on Google, Bing, Yahoo, Ask, AOL - even on SERP 1,000,000,000,000,000,000... then configure your site to invoke SSL the way it was designed to do.

Additionally, SSL will SLOW a site down quite a bit...
18 Jul 2011, 17:06
#6
drbyte avatar

drbyte

Sensei

Join Date:
Jan 2004
Posts:
63,506
Plugin Contributions:
173

Re: When Might SSL-Only Access Be Possible ???

jman:

Curious though, why would using .htaccess to force an SSL redirect break the admin, but not the store?

Probably because there's a subfolder involved and your rules aren't taking that into account.
Regardless, using .htaccess to force SSL is a bad approach fraught with problems.