0

I have been trying to force HTTPS on my osCommerce site and it works. But when it switched to HTTPS, the session breaks and login doesn't work at all.

.htaccess code for forcing HTTP

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Community
  • 1
  • 1
Biraj Pandey
  • 104
  • 5
  • 11
  • 1
    The session breaks because you loose cookies when switching from HTTP over to HTTPS. You need to pass the session ID elsewhere, e.g. by a query parameter. – hakre Jun 20 '11 at 00:51

4 Answers4

4

The way to force HTTPS on all your pages in an osCommerce site is to use what's already set up for you in the configuration instead of making .htaccess do the work.

Edit the includes/configure.php file and put the HTTPS version of your site in both of the following:

define('HTTP_SERVER', 'https://example.com'); 
define('HTTPS_SERVER', 'https://example.com');
random
  • 9,774
  • 10
  • 66
  • 83
1

In 

/includes/configure.php
modify the HTTP DOMAIN to have 
https://
That will make all sessions stay https only. Do the same in 
/admin/includes/configure.php
It builds upon the other answers for mod_rewrite which you should do.

I would also add the HTTP STRICT TRANSPORT SECURITY header and XSS protection, too.

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header unset X-Powered-By
Header unset Server
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
    Header unset X-XSS-Protection
</FilesMatch>
</ifModule>
Denver Prophit Jr.
  • 154
  • 2
  • 19
1

Are you definitely using Apache?

Try this instead in your .htaccess...

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
alex
  • 479,566
  • 201
  • 878
  • 984
  • yes i am using apache, and if i try typing the site url starting with https://.... then https seems working to, but when its foced using htaccess all seems working but when i try to login i get login errors but if i remove https forcing then login works fine again – Biraj Pandey Jun 20 '11 at 00:49
  • i get invalid login errors, ohhh yes i remembered that username and password those are submitted are also not retrieved by the system, they appeared empty when i tried to print them – Biraj Pandey Jun 20 '11 at 00:52
1

I'm not sure if this is directly related to your problem, but I would suggest to make sure that all the forms, links and Location headers aimed within your site point to URLs using an https prefix, if those are absolute.

The rewrite rules that turn HTTP requests into HTTPS are only really useful for securing the "entry point": the first page that the user visits. It doesn't prevent data to be sent in clear if that data is sent to a URL that uses http://. Indeed, these rewrite rules only come into action after the browser has made the request in clear first (so all headers, including login cookies, unless secure cookies, and all the POSTed data, for example, will have been sent in clear).

You may be interested in these related questions:

There's a chance that the sessions break because there's a seemingly invisible plain HTTP connection in the process, which may cause some session-related data not to be transmitted correctly. If you're using Firefox, it can be useful to turn on the security.warn_leaving_secure option (via about:config URL) to track this sort of problems.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376