How to redirect LOGIN.HTML to a secure connection?

[Jeff_Mash]

We are trying to be PCI compliant, and one of their sticking points is that the LOGIN SIDEBOX is being displayed over an insecure HTTP connection. We told them that it shouldn't matter......that even though the login form is DISPLAYED on an HTTP connection, the actual FORM ACTION is submitting to a secure HTTPS connection:

https://www.domain.com/store/login.html?action=process

However, they countered by saying that if you manually EDIT the secure login URL (by changing the HTTPS into HTTP), it will still load the login page. In other words, they're saying that this (http://www.domain.com/store/login.html?action=process) should redirect back to this (https://www.domain.com/store/login.html?action=process). Likewise this (http://www.domain.com/store/login.html) should redirect to this (https://www.domain.com/store/login.html).

Any idea how to do that?

I did have the following added to the root directory of my HTACCESS file but it's not doing anything:

RewriteRule ^store\/login\.html$ "https\:\/\/www\.domain\.com\/store\/login\.html" [R=301,L]

Even after adding that and restarting Apache, I can still manually go to http://www.domain.com/store/login.html (without the HTTPS redirect).

Any ideas on what else I should be looking at?

[gjh42]

There is no such address as login.html in stock Zen Cart; you must have a URL rewriter active which creates the pagenames with .html extensions (which are unnecessary, misleading and pointless). Try turning off the rewriting and see if you still have the issue.

[Jeff_Mash]

Yes, we do have a SEFU rewriter just to help with our page rankings. I fear that if I remove this, it would hurt our standings in the search engines.

Do you happen to know if the HTACCESS file puts priority on the first rewrite statements and ignores the last ones? For example, the rewrite code basically says to change all pages to .html. AFTER that line, I have the code to rewrite the login.html to be redirected to the secure HTTPS address.

Do you think if I put the login part FIRST in the HTACCESS code, that will work as opposed to being last in the file?

(I understand that this isn't ZenCart making this not work......I am just hoping that someone can help possibly with a solution to making this work on my ZenCart site.)

[DrByte]

It's a false positive.

And it's really frustrating when their automated scanning robots are too stupid to understand that the form is still secure.

Regardless of whether someone changes the URL in the address bar to http instead of https, the <form action="https://...."...> will STILL transmit all the submitted form data over encrypted SSL. It's just basic web operation.

And NO actual customer is going to make any such change in their address bar during normal use. It's only scanning bots that would do that. So in real world experience it's even less serious than the already meaningless false-positive they're giving you.

[Jeff_Mash]

Yeah, I have tried to explain that to them. I told them that even though the FORM is displayed on the HTTP site, the DATA is transmitted security. I have been going back and forth with them on the issue. Right now, I am awaiting their response again to see if they can clarify it as a false positive, since I have previously been certified using this exact same code, and I've never been called out on it in the past.