New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Contact us with full site SSL does not redirect to https if http entered #1369
Comments
…ntered. Per https://www.zen-cart.com/content.php?56-how-do-i-enable-ssl-after-i-have-installed-zen-cart, if one is to set the entire site to https, then it is recommended that SSL_ENABLED be set to false, but if the uri entered begins with http, then the redirect to force the page to load via SSL is not activated and the customer could enter enter data to the webpage without using the SSL. Fixes zencart#1369
Just to point out what is perhaps obvious. The contact us page has been treated somewhat specially in that the includes/modules/pages/contact_us/header_php.php file actually has a redirect in it to provide a more strict application/presentation of the page being provided as https than other "similar" pages. Ie. the login page does not have a similar redirect in it, but does pushes the information securely regardless of the entry point to the page (url being entered as http or https). This particular commit does not (yet?) expand to that and other similar pages but addresses only the contact_us page because one might expect the same behavior whether ENABLE_SSL was true or if HTTP_SERVER included https and ENABLE_SSL was false. |
…ntered. Per https://www.zen-cart.com/content.php?56-how-do-i-enable-ssl-after-i-have-installed-zen-cart, if one is to set the entire site to https, then it is recommended that SSL_ENABLED be set to false, but if the uri entered begins with http, then the redirect to force the page to load via SSL is not activated and the customer could enter data to the webpage without using the SSL. Fixes zencart#1369
In How do I enable SSL after I have installed Zen Cart? it is stated that if a store owner wishes to set their entire store to SSL that ENABLE_SSL should be set to false; however, in such a condition a customer could enter a non-https address to reach the contact_us page and it would be first "provided" as http. When ENABLE_SSL is set to true and such an address is entered, then the site redirects to https.
While this condition requires a user to make that entry, it would seem that the same treatment should be offered for the full site set as SSL as is performed for when SSL is enabled just for the necessary pages.
This type of topic has been discussed a few times as a "debate"; however, it was today that I realized this issue existed. Most recently discussed is: https://www.zen-cart.com/showthread.php?221740-How-can-I-change-all-links-in-the-store-to-be-https-if-the-site-accessed-via-https
The text was updated successfully, but these errors were encountered: