securing admin login

[pazdar]

I've been using zen-cart for a quite a while. Firefox pointed out that my admin login is not secure. I tried changing the admin config from define('ENABLE_SSL_ADMIN', 'false') to 'true'. I couldn't get access to my admin login screen if I did that.

I realize this is something probably simple but as a 1 person operation most of the time, programing my website is a very small portion of my responsibilities. Thank you in advance for any help.

[lat9]

Assuming you've got an SSL certificate for your store, you'll simply update /YOUR_ADMIN/includes/configure.php to change your HTTP_SERVER definition from http://www.example.com to https://www.example.com.

[dbltoe]

Below are the recommended settings for the /YOURADMIN/includes/configure.php in version 1.5.4. Replace YOURADMIN with your admin folder name to find the file.

Replace YOURSITE.COM with the proper URL for your website. It's also important when doing this change that you take into effect what your SSL certificate is set for - www or non-www. It can create problems if you enter www.yoursite.com when the SSL is for the non-www version. Some SSL certs cover both.

Code:

/** * WE RECOMMEND THAT YOU USE SSL PROTECTION FOR YOUR ENTIRE ADMIN:
 * To do that, make sure you use a "https:" URL for BOTH the HTTP_SERVER and HTTPS_SERVER entries:
 */
  define('HTTP_SERVER', 'http://YOURSITE.COM');
  define('HTTPS_SERVER', 'https://YOURSITE.COM');
  define('HTTP_CATALOG_SERVER', 'http://YOURSITE.COM');
  define('HTTPS_CATALOG_SERVER', 'https://YOURSITE.COM');


  // secure webserver for admin?  Valid choices are 'true' or 'false' (including quotes).
  define('ENABLE_SSL_ADMIN', 'true');


  // secure webserver for storefront?  Valid choices are 'true' or 'false' (including quotes).
  define('ENABLE_SSL_CATALOG', 'true');

[pazdar]

I tried that, it didn't work. Should I still have a dist-configure file in both the admin/include/ folder and the include/ folder? My admin/include/configure file has this at the top, does it look right or is it not the right version:

* @package Configuration Settings circa 1.5.1
* @copyright Copyright 2003-2012 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* File Built by zc_install on 2013-01-22 01:35:18

Thanks

[carlwhat]

uh... lets start at the basics.... do you have an SSL certificate installed for your site?

perhaps you could provide the URL of your site (not the admin)...

your comment:

define('ENABLE_SSL_ADMIN', 'false') to 'true'. I couldn't get access to my admin login screen if I did that.

suggests that there is a problem with your SSL certificate....

best.

[pazdar]

Yes, there is a SSL certificate installed on the website.

[carlwhat]

again, without a url to your website, it makes it hard to troubleshoot.

if you have an SSL for the site, and changing the constant listed above causes problems, i have a feeling that you have a configuration issue. i could be wrong. but without a url to your site, very little to do except make guesses.

best.

[mc12345678]

I tried that, it didn't work. Should I still have a dist-configure file in both the admin/include/ folder and the include/ folder? My admin/include/configure file has this at the top, does it look right or is it not the right version:

* @package Configuration Settings circa 1.5.1
* @copyright Copyright 2003-2012 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* File Built by zc_install on 2013-01-22 01:35:18

Thanks

Regarding this, the dist-configure.php files are "example" versions of what defined variables are expected and minor instruction related to format of the defined variable. The version information seen at the top is comment and does not directly relate to the operation nor the defined variables. It does indicate a little about the history of the site and the process of upgrade performed, but that information (header comment) specifically does not pertain to the issue observed.

Don't know if you've PMed the information or not, but generally speaking, if your catalog side is functioning fine to support purchase and when using https:, but the admin side is not, carefully compare the values of HTTP_SERVER and HTTPS_SERVER (if present) in the includes/configure.php to the admin/includes/configure.php. If the catalog side (remember need to validate functionality) includes www. then so should the admin side. If it does not, then neither should the admin...

[pazdar]

Neither the admin login or the final purchasing area are showing up as secured.

[mc12345678]

Neither the admin login or the final purchasing area are showing up as secured.

Are they showing up at all? Does the address change to https and content not get displayed? Is your certificate for www.whateveryoursiteiscalled.com when you have omitted the www. In your configure.php files?

Please, to get more direct assistance in the forum, more direct information should be provided.