skip to Main Content

I have been trying to force HTTPS on my osCommerce site and it works. But when it switched to HTTPS, the session breaks and login doesn’t work at all.

.htaccess code for forcing HTTP

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]



  1. Are you definitely using Apache?

    Try this instead in your .htaccess

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    Login or Signup to reply.
  2. I’m not sure if this is directly related to your problem, but I would suggest to make sure that all the forms, links and Location headers aimed within your site point to URLs using an https prefix, if those are absolute.

    The rewrite rules that turn HTTP requests into HTTPS are only really useful for securing the “entry point”: the first page that the user visits. It doesn’t prevent data to be sent in clear if that data is sent to a URL that uses http://. Indeed, these rewrite rules only come into action after the browser has made the request in clear first (so all headers, including login cookies, unless secure cookies, and all the POSTed data, for example, will have been sent in clear).

    You may be interested in these related questions:

    There’s a chance that the sessions break because there’s a seemingly invisible plain HTTP connection in the process, which may cause some session-related data not to be transmitted correctly. If you’re using Firefox, it can be useful to turn on the security.warn_leaving_secure option (via about:config URL) to track this sort of problems.

    Login or Signup to reply.
  3. The way to force HTTPS on all your pages in an osCommerce site is to use what’s already set up for you in the configuration instead of making .htaccess do the work.

    Edit the includes/configure.php file and put the HTTPS version of your site in both of the following:

    define('HTTP_SERVER', ''); 
    define('HTTPS_SERVER', ''); 
    Login or Signup to reply.
  4. In


    modify the HTTP DOMAIN to have


    That will make all sessions stay https only. Do the same in


    It builds upon the other answers for mod_rewrite which you should do.

    I would also add the HTTP STRICT TRANSPORT SECURITY header and XSS protection, too.

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header unset X-Powered-By
    Header unset Server
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    <FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
        Header unset X-XSS-Protection
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top