Switching to 100% SSL (https) - Thoughts?

[Feznizzle]

Hi,

I'm about to encrypt *all* traffic on my site. I'm a tad worried, any suggestions to help this transition go smoothly would be appreciated!

To switch over, looks like all I have to do is update in each includes file:
BEFORE: define('HTTP_SERVER', 'http://www.YOUR_SHOP.com');
AFTER: define('HTTP_SERVER', 'https://www.YOUR_SHOP.com');

Something that worries me is the possibility of imbedded file references (to images, pdf's, etc) existing in places like Category or Product Description. Do I have to worry about that breaking things?

I could search the entire DB for any use of "http:www.YOUR_SHOP.com" and replace with nothing (making the ref URL relative). But is that necessary?

I dunno. What else should I watch out for?

Thanks!

EDIT: The site is a ZC154

[DrByte]

Yes you should do it.

Yes you might have some assets where you mistakenly specified a non-https way to access them, in which case you'll need to fix each one manually ... by either making them https specifically (after testing that that works), or by making them relative to your site root .... or even better, by making them protocol-agnostic by using // instead of http:// or https:// .

You can test "most" pages by going to the page in your browser, then manually change the URL to https and press Enter. Then see if the padlock disappears ... if it does then you've got insecure assets on that page, and you can View Source for that page in your browser to find the offending items ... (actually, using the browser's "console" in developer tools mode is faster because it usually lists which ones it can't load, as console errors).

[mc12345678]

The other thing not referenced is that it is suggested to do as above but with ENABLE_SSL as false.

[picandnix]

The other thing not referenced is that it is suggested to do as above but with ENABLE_SSL as false.

Could you please elaborate on the theory behind this please? Not debating or questioning the suggestion just wanted to understand why for my own education

[DrByte]

The other thing not referenced is that it is suggested to do as above but with ENABLE_SSL as false.

Could you please elaborate on the theory behind this please? Not debating or questioning the suggestion just wanted to understand why for my own education

He's referring to something I've posted elsewhere about this matter. The ENABLE_SSL switch causes session-regeneration, which assigns new zenids when going between HTTP_SERVER and HTTPS_SERVER URLs. But since you're making both the same, you can turn off the extra load caused by ENABLE_SSL and also bypass the needless setting of new cookies. One less point of failure, and less overhead, making the site faster.

[Feznizzle]

Ok, I'll switch ENABLE_SSL to false.

Out of curiosity, what happens to legacy links? They'll just automagically redirect, correct?