Results 1 to 8 of 8
  1. #1
    Join Date
    Mar 2007
    Location
    Pepperell, Massachusetts
    Posts
    232
    Plugin Contributions
    1

    Default Secure Admin, how much should I see secure?

    I'm using a shared hosting environment (hspcomplete/plex) but luckily it does not require that I use the httpsdocs directory, everything is just in the httpdocs tree.

    I've turned on secure checkout without a problem. I had to conditionalize my analytics inclusion, but no biggy. Works perfectly.

    I recently turned on secure admin.. ..this appears to support logging in to https:// ... /admin/ and the admin home is shown as https:// secure, but none of the menus, commands, or links are secure.

    Is this the expected behavior? Having secure admin login and home page is pretty good, just wondering if I'm missing anything or not.

    Thanks,
    Dan

  2. #2
    Join Date
    Mar 2004
    Posts
    16,042
    Plugin Contributions
    5

    Default Re: Secure Admin, how much should I see secure?

    Only the login is secure in admin at this time
    Zen cart PCI compliant Hosting

  3. #3
    Join Date
    Mar 2007
    Location
    Pepperell, Massachusetts
    Posts
    232
    Plugin Contributions
    1

    Default Re: Secure Admin, how much should I see secure?

    However, if you go to the plain http:// admin location you can still log in. It doesn't check if secure admin is set and restrict to only secure.

    Is there a convenient place I can add a check for SSL to reject non-secure logins?

  4. #4
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Secure Admin, how much should I see secure?

    Quote Originally Posted by dhcernese View Post
    However, if you go to the plain http:// admin location you can still log in. It doesn't check if secure admin is set and restrict to only secure.
    Then you must have something configured incorrectly.
    What are the contents of your admin configure.php file without the password?
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Mar 2007
    Location
    Pepperell, Massachusetts
    Posts
    232
    Plugin Contributions
    1

    Default Re: Secure Admin, how much should I see secure?

    define('HTTP_SERVER', 'http://www.sacredfiremagazine.com');
    define('HTTPS_SERVER', 'https://www.sacredfiremagazine.com');
    define('HTTP_CATALOG_SERVER', 'http://www.sacredfiremagazine.com');
    define('HTTPS_CATALOG_SERVER', 'https://www.sacredfiremagazine.com');

    // secure webserver for catalog module and/or admin areas?
    define('ENABLE_SSL_CATALOG', 'false');
    define('ENABLE_SSL_ADMIN', 'true');

    // NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!

    // * DIR_WS_* = Webserver directories (virtual/URL)
    // these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
    define('DIR_WS_ADMIN', '/shop/admin/');
    define('DIR_WS_CATALOG', '/shop/');
    define('DIR_WS_HTTPS_ADMIN', '/shop/admin/');
    define('DIR_WS_HTTPS_CATALOG', '/shop/');

    define('DIR_WS_IMAGES', 'images/');
    define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
    define('DIR_WS_CATALOG_IMAGES', HTTP_CATALOG_SERVER . DIR_WS_CATALOG . 'images/');
    define('DIR_WS_CATALOG_TEMPLATE', HTTP_CATALOG_SERVER . DIR_WS_CATALOG . 'includes/templates/');
    define('DIR_WS_INCLUDES', 'includes/');
    define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
    define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
    define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
    define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
    define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
    define('DIR_WS_CATALOG_LANGUAGES', HTTP_CATALOG_SERVER . DIR_WS_CATALOG . 'includes/languages/');

    // * DIR_FS_* = Filesystem directories (local/physical)
    //the following path is a COMPLETE path to your Zen Cart files. eg: /var/www/vhost/accountname/public_html/store/
    define('DIR_FS_ADMIN', 'C:\Inetpub\vhosts\sacredfiremagazine.com\httpdocs/shop/admin/');
    define('DIR_FS_CATALOG', 'C:\Inetpub\vhosts\sacredfiremagazine.com\httpdocs/shop/');

    define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
    define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
    define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
    define('DIR_FS_CATALOG_TEMPLATES', DIR_FS_CATALOG . 'includes/templates/');
    define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
    define('DIR_FS_EMAIL_TEMPLATES', DIR_FS_CATALOG . 'email/');
    define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

    // define our database connection
    define('DB_TYPE', 'mysql');
    define('DB_PREFIX', '');
    define('DB_SERVER', '127.0.0.1'); // eg, localhost - should not be empty
    define('DB_SERVER_USERNAME', 'xxx');
    define('DB_SERVER_PASSWORD', 'xxx');
    define('DB_DATABASE', 'xxx');
    define('USE_PCONNECT', 'false'); // use persistent connections?
    define('STORE_SESSIONS', 'db'); // leave empty '' for default handler or set to 'db' or optionally 'mysql' in some cases

    // The next 2 "defines" are for SQL cache support.
    // For SQL_CACHE_METHOD, you can select from: none, database, or file
    // If you choose "file", then you need to set the DIR_FS_SQL_CACHE to a directory where your apache
    // or webserver user has write privileges (chmod 666 or 777). We recommend using the "cache" folder inside the Zen Cart folder
    // ie: /path/to/your/webspace/public_html/zen/cache -- leave no trailing slash
    define('SQL_CACHE_METHOD', 'none');
    define('DIR_FS_SQL_CACHE', 'C:\Inetpub\vhosts\sacredfiremagazine.com\httpdocs/shop/cache');

  6. #6
    Join Date
    Mar 2007
    Location
    Pepperell, Massachusetts
    Posts
    232
    Plugin Contributions
    1

    Default Re: Secure Admin, how much should I see secure?

    Quote Originally Posted by dhcernese View Post
    However, if you go to the plain http:// admin location you can still log in. It doesn't check if secure admin is set and restrict to only secure.
    To clarify, if I direct the browser to http://www.sacredfiremagazine.com/shop/admin/login.php
    Then I get an unsecure login screen which after entering the password and clicking redirects to the secure screen. The initial entry is unsecure, right? Or does the redirect to https://... happen on my client-end before sending the admin password?

  7. #7
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Secure Admin, how much should I see secure?

    While the page itself may appear unsecured, the data is submitted to a secure URL, so thus the information is protected before submission.

    If you are concerned, then don't use the login.php as your entry point. Use index.php. If you're not logged in, you'll be redirected to the login page using a secure URL automatically.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  8. #8
    Join Date
    Mar 2007
    Location
    Pepperell, Massachusetts
    Posts
    232
    Plugin Contributions
    1

    Default Re: Secure Admin, how much should I see secure?

    Quote Originally Posted by DrByte View Post
    While the page itself may appear unsecured, the data is submitted to a secure URL, so thus the information is protected before submission.

    If you are concerned, then don't use the login.php as your entry point. Use index.php. If you're not logged in, you'll be redirected to the login page using a secure URL automatically.
    Thank you, I see that now.

 

 

Similar Threads

  1. This page contains both secure and non-secure items?
    By doubletiger in forum General Questions
    Replies: 2
    Last Post: 11 Sep 2010, 01:16 PM
  2. Should All of Admin Area Be Secure?
    By teebee2e in forum General Questions
    Replies: 2
    Last Post: 15 Nov 2006, 05:47 AM
  3. Replies: 2
    Last Post: 7 Jun 2006, 02:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg