Page 4 of 4 FirstFirst ... 234
Results 31 to 38 of 38
  1. #31
    Join Date
    Jul 2012
    Posts
    14,474
    Plugin Contributions
    17

    Default Re: Switching to 100% SSL (https) - Thoughts?

    Quote Originally Posted by mesnitu View Post
    Thanks
    But why there are two define('HTTP_SERVER', 'https://el_site.net'); ( in the admin configure ) ?

    And also, to see if I'm understanding this right:

    define('ENABLE_SSL_CATALOG', 'true'); is used IF there's a mix of http / https, right ?

    In this case, as both define('HTTP_SERVER' / define('HTTPS_SERVER' are equal or https, it really doesn't matter if is set to true or false, or it does ?

    Sorry for the dumb questions, but I'm trying to understand.

    Thanks
    Not dumb questions.

    So first, there should really be only one *active* HTTP_SERVER define in the admin. Even if there is more than one, the first occurrence is the one that will be used. Once a "variable" is defined, it becomes a constant. Any additional occurrence of the define for that "variable" will be ignored though a notice is generated. (default ZC operation ignores these notices, but they are still created.)

    As to the ENABLE_SSL_CATALOG... you almost have the right concept. The "problem" is that when code has been written, it generally has been from the perspective that there will be a define for HTTP_CATALOG_SERVER that is expected to begin with http: and a define for HTTPS_CATALOG_SERVER that begins with https:. Then the thought also was that a page need only be presented as https: in certain conditions such as when personal or financial information was to be transferred.

    Thing is that other "services" have since decided that all pages should be provided via https: regardless of the content.

    Well, because software was built with the before mentioned "logic", the *only* time that https: was to be encountered was when ENABLE_SSL_CATALOG was set to true and that if it were not set to true, then "obviously" the site did not support https: and therefore there may be an action or response to indicate that the site did not support https:... from a logic perspective, it seemed sound. But... it did not account for the possibility that HTTP_CATALOG_SERVER could be set to https: as well and therefore https: was supported at all times and not just when ENABLE_CATALOG_SSL was set to true.

    So... really the issue is that downstream in other code, the attempt to ensure security of the information is/was too stringent and would prevent operations that would "appear" to be acceptable, but were determined to be "unsafe" because the safety inspection was limited in scope.

    So, there are a few options depending on what you are willing to deal/work with...

    You could continue to operate as suggested in the FAQ about how to enable SSL or you can go against the grain, identify code that is overly restrictive and offer up solutions that recognize the condition set of all https with the applicable ENABLE_SSL or ENABLE_CATALOG_SSL setting set as false. In older ZC versions it was identified that some of the payment modules built into ZC did not fully recognize the setting to false and both defines set to https: (more of an issue on the catalog side, though one of the payment methods does/did disable itself if the store was determine to not "properly" support https:).

    That help make some sense of things?
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  2. #32
    Join Date
    Jul 2012
    Posts
    14,474
    Plugin Contributions
    17

    Default Re: Switching to 100% SSL (https) - Thoughts?

    Quote Originally Posted by lat9 View Post
    There shouldn't be two definitions ... I was just feeding back the format that you had.

    For a store/admin that is SSL-all-the-time, the top of your /admin/configure.php should look similar to:

    Code:
    /**
     * Enter the domain for your Admin URL. If you have SSL, enter the correct https address in the HTTP_SERVER setting, instead of just an http address.
     */
    define('HTTP_SERVER', 'https://www.example.com');
    /**
     * Note about HTTPS_SERVER:
     * There is no longer an HTTPS_SERVER setting for the Admin. Instead, put your SSL URL in the HTTP_SERVER setting above.
     */
    
    /**
     * Note about DIR_WS_ADMIN
     * The DIR_WS_ADMIN value is now auto-detected.
     * In the rare case where it cannot be detected properly, you can add your own DIR_WS_ADMIN definition below.
     */
    
    /**
     * Enter the domain for your storefront URL.
     * Enter a separate SSL URL in HTTPS_CATALOG_SERVER if your store supports SSL.
     */
    define('HTTP_CATALOG_SERVER', 'https://www.example.com');
    define('HTTPS_CATALOG_SERVER', 'https://www.example.com');
    
    /**
     * Do you use SSL for your customers login/checkout on the storefront? If so, enter 'true'. Else 'false'.
     */
    define('ENABLE_SSL_CATALOG', 'true');
    Remember to note that the above admin/includes/configure.php file is related to ZC 1.5.5. A ZC 1.5.4 (version considered applicable to this thread) store's admin/includes/configure.php file would have additional information contained in it.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  3. #33
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    9,060
    Plugin Contributions
    72

    Default Re: Switching to 100% SSL (https) - Thoughts?

    Quote Originally Posted by mc12345678 View Post
    Remember to note that the above admin/includes/configure.php file is related to ZC 1.5.5. A ZC 1.5.4 (version considered applicable to this thread) store's admin/includes/configure.php file would have additional information contained in it.
    Since @mesnito's post (which I was answering) indicated a ZC 1.5.5+ version ...

  4. #34
    Join Date
    May 2009
    Posts
    1,071
    Plugin Contributions
    2

    Default Re: Switching to 100% SSL (https) - Thoughts?

    It seems the more I read the more I get confused!

    So I have my site set all to https, and zen cart is in subdirectory (/shop), I tested it both with direct address typing, and getting to it by link on the root, I don't get any error, save that referenced about content like images (going to fix that).

    What concerns me, as I haven't done a through test is the references to sessions, and cookies and configure settings in posts #2, #3, and #5.

    So here I am posting my settings, if you please correct it as it should be, and any other suggestion you may think would be good.
    Thank you.

    includes/configure.php

    PHP Code:
    define('HTTP_SERVER''http://www.example.com');
    define('HTTPS_SERVER''https://www.example.com');

    define('ENABLE_SSL''true'); 
    admin/includes/configure.php

    PHP Code:
    define('HTTP_CATALOG_SERVER''http://www.example.com');
    define('HTTPS_CATALOG_SERVER''https://www.example.com');

    define('ENABLE_SSL_CATALOG''true'); 
    I have htaccess redirect set from non www to www, and of course the https as this

    Code:
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]
    
    RewriteCond %{HTTP_HOST} ^example.com [NC]
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=301]

  5. #35
    Join Date
    Jul 2012
    Posts
    14,474
    Plugin Contributions
    17

    Default Re: Switching to 100% SSL (https) - Thoughts?

    Quote Originally Posted by keneso View Post
    It seems the more I read the more I get confused!

    So I have my site set all to https, and zen cart is in subdirectory (/shop), I tested it both with direct address typing, and getting to it by link on the root, I don't get any error, save that referenced about content like images (going to fix that).

    What concerns me, as I haven't done a through test is the references to sessions, and cookies and configure settings in posts #2, #3, and #5.

    So here I am posting my settings, if you please correct it as it should be, and any other suggestion you may think would be good.
    Thank you.

    includes/configure.php

    PHP Code:
    define('HTTP_SERVER''http://www.example.com');
    define('HTTPS_SERVER''https://www.example.com');

    define('ENABLE_SSL''true'); 
    admin/includes/configure.php

    PHP Code:
    define('HTTP_CATALOG_SERVER''http://www.example.com');
    define('HTTPS_CATALOG_SERVER''https://www.example.com');

    define('ENABLE_SSL_CATALOG''true'); 
    I have htaccess redirect set from non www to www, and of course the https as this

    Code:
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]
    
    RewriteCond %{HTTP_HOST} ^example.com [NC]
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=301]
    Think big picture.

    Everytime someone access your site, the .htaccess file which is loaded before any other "content" will say: you better be on https: or else I am telling you to be there. So, traffic is sent to https:. Then they get content from your site... The content says, oh if you want to login then please continue on to this https: webpage. If however you want to look at this product, please try to access this server using http:. They click that link, it attempts to access via http:, but comes across that "pesky" htaccess file again which says, you better be on https: and they again get redirected to https: to look at this product. The product page again has a combination of http: and https: because of the settings within ZC and this process continues on and on.

    SO... If you are going to use **ALL** https by way of your htaccess... Then you should have ZC use **ALL** https by adjusting the following in red:

    includes/configure.php
    Code:
    define('HTTP_SERVER', 'https://www.example.com');
    define('HTTPS_SERVER', 'https://www.example.com');
    
    define('ENABLE_SSL', 'true');
    admin/includes/configure.php

    Code:
    define('HTTP_CATALOG_SERVER', 'https://www.example.com');
    define('HTTPS_CATALOG_SERVER', 'https://www.example.com');
    
    define('ENABLE_SSL_CATALOG', 'true');
    Making the changes above to the Zen Cart files is in line with the direction provided in the FAQ to establish SSL in particular if you are going to operate the entire site using https:...

    As to posts 3 and 5, post 3 was made based on some earlier guidance that is further described in post 5. The impact is significantly smaller than the inability of a customer to use say your payment processor... Forcing the redirects that would occur as described above are cause more trouble than what is described in posts 3 and 5.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  6. #36
    Join Date
    May 2009
    Posts
    1,071
    Plugin Contributions
    2

    Default Re: Switching to 100% SSL (https) - Thoughts?

    Thank you.
    I now have a clearer picture.

    I had thought of the correction you made, but it would have been more of a guess than actually seeing the picture, and the true/false doubt was making it even blurier. ;)

  7. #37
    Join Date
    Aug 2014
    Location
    Lisbon
    Posts
    606
    Plugin Contributions
    0

    Default Re: Switching to 100% SSL (https) - Thoughts?

    Thanks!
    “Though the problems of the world are increasingly complex, the solutions remain embarrassingly simple.” ― Bill Mollison

  8. #38
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    7,275
    Plugin Contributions
    8

    Default Re: Switching to 100% SSL (https) - Thoughts?

    I feel we need an addition to this thread. With the move by browsers to insist on full-site secure SSL (https:), the information provided in Post 35 is true but, more action needs to follow the move to full site https.

    Most SSL certificates are issued either for www. or non-www. The majority today are issued without the www as it's just getting to be an identifier that is generally assumed.

    In some cases, an SSL for one method will show insecure when accessing with the other method. i.e., if the SSL is for https://www.yoursite.com, accessing https://yoursite.com may have the browser declare that the site is not secure simply because the www was not included. The same is true if your SSL is for https://yoursite.com. Accessing https://www.yoursite.com can cause the browser to declare the site insecure.

    So.... Make sure your URL declaration in the configure.php files (www or non-www) matches the SSL.

    Then, there's another step that needs to be accomplished. If yoursite.com can be accessed with both the www and non-www prefix, search engines will lower your rank due to duplicate information. If the site can be accessed either way, you have a 100% duplication of your work. You'll need to set up some form of redirect to make sure all your traffic goes to the URL that matches your SSL. Since we'd want this to always go to the URL with protocol that matches the SSL, we would need to use a permanent redirect. It is known as a 301 redirect. It can be accomplished in several ways:
    1. The quickest method is probably to use an .htaccess generator to do the job for you. This would be placed in the root of your store. If one already exists (often there to define PHP version), you'll need to merge the two.
    2. If you have cpanel, it generally includes a redirect option under Domains. You may even have access to mod_rewrite in your cpanel (not generally there).
    3. If you have plesk, you can do domain specific redirects under the domain specific "Apache and nginx Settings."
    4. If all the above is a little scary, you can request your host do this for you using mo_rewrite.


    The final action we need to take with this new trend is to make sure that the links on our pages do not point to http:// versus https://. If you use http://, some browsers will once again declare your site insecure as you are trying to access an insecure URL form a secure site. They'll notify you of "mixed content."

    The quickest way to work around this is to never use the protocol in the link. It's called a "protocol-less link". Instead of https:// or http://, just use //your_site.com.

    NOTE: It's perfectly safe to use //the_new_site.com rather than //www.the_new_site.com. The // will cause the browser to use the correct protocol at the new site. And, as to the non-use of www), if they don't have a 301 on the new site, it will go through without the www. If the new site is set to only use www, their 301 will redirect your non-www link to their www site. It's an automatic way of doing links on your site and never getting dinged

    To review:
    1. Make the changes suggested in this thread to BOTH configure.php files while taking the time to match the www status of your SSL.
    2. Make sure your site can only be accessed by https:// and the www/non-www status of your SSL by .HTACCESS, cpanel/plesk redirect, or ask your host to use mod_rewrite.
    3. Check the links on your site to get rid of all http://
    Did you read the posting tips?!?
    Responsive Color Changes for 155-156c demo here.
    Zen Cart PCI Compatible Hosting

 

 
Page 4 of 4 FirstFirst ... 234

Similar Threads

  1. v151 switching PayPal IPN Verification Postback to HTTPS
    By moogawooga in forum General Questions
    Replies: 14
    Last Post: 28 Dec 2017, 08:08 AM
  2. Switching to https from http changed php
    By Goldenis in forum General Questions
    Replies: 1
    Last Post: 15 Apr 2011, 10:27 AM
  3. Positive SSL problem? Not switching to the HTTPS url during Checkout
    By whatisthat456 in forum General Questions
    Replies: 2
    Last Post: 13 Dec 2009, 09:45 AM
  4. switching from http to https
    By metamp in forum Basic Configuration
    Replies: 1
    Last Post: 8 Feb 2007, 09:00 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR