I have been trying to force HTTPS on my osCommerce site and it works. But when it switched to HTTPS, the session breaks and login doesn’t work at all.
.htaccess code for forcing HTTP
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
4
Answers
Are you definitely using Apache?
Try this instead in your
.htaccess
…I’m not sure if this is directly related to your problem, but I would suggest to make sure that all the forms, links and
Location
headers aimed within your site point to URLs using anhttps
prefix, if those are absolute.The rewrite rules that turn HTTP requests into HTTPS are only really useful for securing the “entry point”: the first page that the user visits. It doesn’t prevent data to be sent in clear if that data is sent to a URL that uses
http://
. Indeed, these rewrite rules only come into action after the browser has made the request in clear first (so all headers, including login cookies, unless secure cookies, and all the POSTed data, for example, will have been sent in clear).You may be interested in these related questions:
There’s a chance that the sessions break because there’s a seemingly invisible plain HTTP connection in the process, which may cause some session-related data not to be transmitted correctly. If you’re using Firefox, it can be useful to turn on the
security.warn_leaving_secure
option (viaabout:config
URL) to track this sort of problems.The way to force HTTPS on all your pages in an osCommerce site is to use what’s already set up for you in the configuration instead of making .htaccess do the work.
Edit the includes/configure.php file and put the HTTPS version of your site in both of the following:
In
modify the HTTP DOMAIN to have
That will make all sessions stay https only. Do the same in
It builds upon the other answers for mod_rewrite which you should do.
I would also add the HTTP STRICT TRANSPORT SECURITY header and XSS protection, too.