We're off topic here but, I did want to mention that a DV cert no longer requires the dedicated IP as cpanel can properly separate domains from only one IP.
We're off topic here but, I did want to mention that a DV cert no longer requires the dedicated IP as cpanel can properly separate domains from only one IP.
Are You Vulnerable for an Accessibility Lawsuit?
myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
Free SSL, Domain, and MagicThumb with semi-annual and longer hosting.
Let's get back to the topic.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
So, I didn't get a response to the question asked in the first paragraph, but I have just considered this as a possibility, if this path is considered desirable.
At a point after the sessions have been loaded and perhaps after $request_type has been set, you set a session variable to indicate what type of URL was used to access the site. If it were https, then one value, if http another, but in either case the session value is set.
Then, at least when using ZC 1.5.5, there is now a notifier that allows you to pick up on link generation requests, though you would want to also ensure appropriate sequencing with any other plugin that attempts to use that notifier because you want the value to be set as desired before that other observer grabs hold of the data ($connection). Notifier to which I refer is found in includes/functions/html_output.php in the zen_href_link function.
In the new observer, if the session is set to https, then make the $connection variable = 'SSL' regardless of the original/previous request, if not set to https, then leave it alone and use whatever value to which $connection is set (don't modify the value of $connection).
I think that would accomplish the requested task, assuming it is still considered desirable...
I still have a prepared answer to a question I was asked earlier, but not sure if on topic for that one. :)
It may even be desirable to put the session setting value inside of the sessions code such that a visitor sees the session value, but a bot does not... Haven't thought that far through it yet. Awaiting "input". :)
Last edited by mc12345678; 27 Jan 2017 at 09:54 PM.
ZC Installation/Maintenance Support <- Site
Contribution for contributions welcome...
My install: was Vanilla 1.3.9h, now 1.5.5b, Apache 2.4, PHP 7.0.6, MySQL 5.5.8 64b, Windows 7 64b, 8GB RAM, i3 3.3gHz
Modules: [Payment=Paypal] [Shipping=Canada Post 1.5.3 merged] [nonCAPTCHA]
Okay, but, what is your consideration if a site visitor enters the site with http:, but at some point is redirected to https: like say they go to send the site owner a message using contact_us. When they then continue on their merry way, which if looking at product on the site would be via http: should they be "allowed" to return to http: or are you thinking that now that they have stepped "up" they can never step back "down"? (please BTW, that is a metaphorical up/down comparison, I am not saying as a comparison, but more like a logical on/off).
ZC Installation/Maintenance Support <- Site
Contribution for contributions welcome...
My install: was Vanilla 1.3.9h, now 1.5.5b, Apache 2.4, PHP 7.0.6, MySQL 5.5.8 64b, Windows 7 64b, 8GB RAM, i3 3.3gHz
Modules: [Payment=Paypal] [Shipping=Canada Post 1.5.3 merged] [nonCAPTCHA]
Per your design request and the discussion I provide above, no they would not go on/continue on using SSL, because the design proposed met the request: want all pages to be SSL if user entered SSL related webpage to access the site. Therefore, if they accessed the site using http: then the proposed solution would enable https: when it was expected to be used, but would return to http: when not so expected (ie. Product information pages, shopping cart, etc...) if they initially entered an https: uri, all pages onsite would be presented https: until they either logged out or their session expired (left the site for a long time).
To then continue on using SSL for each and every properly coded uri after visiting any page while SSL has been requested is a different solution.
Good thing I didn't go trying to write code today based on your design request, because would be back modifying things again or just letting someone else "correct" the situation.
ZC Installation/Maintenance Support <- Site
Contribution for contributions welcome...
In this regard I see no benefit to you serving your site as http at all. If your goal is to have people purchase things, then since it only takes a few clicks before they need to use https for login or checkout, you may as well just use https for everything.
Setup for that is simple:
Change this:
define('HTTP_SERVER', 'http://www.vintageelectronics.ca');
To this:
define('HTTP_SERVER', 'https://www.vintageelectronics.ca');
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
I am lost in your academic debate and do not have time and resources to read even 10% of what is posted, but I know for certain from my customers' feedback that if they entered my site via https, they expect 100% of their interaction with the site to be SSL encrypted. I understand where they are coming from and have zero problem with their wishes.
If some however want to use http, they should be allowed to do so.
My install: was Vanilla 1.3.9h, now 1.5.5b, Apache 2.4, PHP 7.0.6, MySQL 5.5.8 64b, Windows 7 64b, 8GB RAM, i3 3.3gHz
Modules: [Payment=Paypal] [Shipping=Canada Post 1.5.3 merged] [nonCAPTCHA]
I redirects all to https and see no problem with it
Bookmarks