Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contact us with full site SSL does not redirect to https if http entered #1369

Closed
mc12345678 opened this issue Jan 20, 2017 · 1 comment
Closed

Contact us with full site SSL does not redirect to https if http entered #1369

mc12345678 opened this issue Jan 20, 2017 · 1 comment

Comments

@mc12345678
Copy link
Contributor

In How do I enable SSL after I have installed Zen Cart? it is stated that if a store owner wishes to set their entire store to SSL that ENABLE_SSL should be set to false; however, in such a condition a customer could enter a non-https address to reach the contact_us page and it would be first "provided" as http. When ENABLE_SSL is set to true and such an address is entered, then the site redirects to https.

While this condition requires a user to make that entry, it would seem that the same treatment should be offered for the full site set as SSL as is performed for when SSL is enabled just for the necessary pages.

This type of topic has been discussed a few times as a "debate"; however, it was today that I realized this issue existed. Most recently discussed is: https://www.zen-cart.com/showthread.php?221740-How-can-I-change-all-links-in-the-store-to-be-https-if-the-site-accessed-via-https
mc12345678 added a commit to mc12345678/zc-v1-series that referenced this issue Jan 20, 2017
@mc12345678
Forces visitor to https if full site is setup for https and http is e…
36e6b22 
…ntered.

Per https://www.zen-cart.com/content.php?56-how-do-i-enable-ssl-after-i-have-installed-zen-cart,
if one is to set the entire site to https, then it is recommended that
SSL_ENABLED be set to false, but if the uri entered begins with http, then
the redirect to force the page to load via SSL is not activated and the
customer could enter enter data to the webpage without using the SSL.

Fixes zencart#1369
@mc12345678 mc12345678 mentioned this issue Jan 20, 2017
Merged
@mc12345678
Copy link
Contributor Author

Just to point out what is perhaps obvious. The contact us page has been treated somewhat specially in that the includes/modules/pages/contact_us/header_php.php file actually has a redirect in it to provide a more strict application/presentation of the page being provided as https than other "similar" pages. Ie. the login page does not have a similar redirect in it, but does pushes the information securely regardless of the entry point to the page (url being entered as http or https).

This particular commit does not (yet?) expand to that and other similar pages but addresses only the contact_us page because one might expect the same behavior whether ENABLE_SSL was true or if HTTP_SERVER included https and ENABLE_SSL was false.

mc12345678 added a commit to mc12345678/zc-v1-series that referenced this issue Jan 26, 2017
@mc12345678
Forces visitor to https if full site is setup for https and http is e…
60ac400 
…ntered.

Per https://www.zen-cart.com/content.php?56-how-do-i-enable-ssl-after-i-have-installed-zen-cart,
if one is to set the entire site to https, then it is recommended that
SSL_ENABLED be set to false, but if the uri entered begins with http, then
the redirect to force the page to load via SSL is not activated and the
customer could enter data to the webpage without using the SSL.

Fixes zencart#1369
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mc12345678