Jumping all over the place

[marastafat]

I have OSC set up, working fine apart from that at certain points i.e. at end of checkout (on continue) and when clicking on myAccount where it links back to a secure version of the site. I would imagine it would be best to have myAccount and continue after checkout to go back to the normal http version?

Also I have the admin section on both the HTTPS folder and in the HTTP folder on my server. Now for security I was hoping to use .htaccess and HTTPS version of the admin section. Now when I go to the /admin/ in a browser it says YES protected by SSL however when I click on any of the links on the front page or anything inside the admin section it skips to the HTTP version not good as I don't want scamsters looking at data transferes.

Also it seems strange to me that you would have two identical copies of OSCommerce one in HTTP and one in HTTPS, if there any instructions pointing out which files need to be installed on HTTPS so that the checkout procedure and the admin section are covered with SSL, and which files shold sit in the HTTP folder to cover the rest of it i.e. general browsing? Just seems like a waste of server space.

Any help is most excellent.

Thanks

Allan

[jpf]

To keep the admin ONLY in HTTPS - change your admin configure.php file.
Change:
define('HTTP_SERVER', 'http://www.your_regular_site.com');

to:
define('HTTP_SERVER', 'https://www.your_secure_site.com');


As for 2 directories HTTPS/HTTP - depend on your type of certificate and HOW the server(s) are setup. Many HOSTS setup a dynamic link that any HTTPS calls looks for the files in ONE directory in HTTP.

Ask your host if they can do such.

BTW It is suggested to RENAME the admin directory to something..odd - and/or put into a private directory (if you host has provided it - ie: http://www.yoursite_or_host.com/~you...y_store_admin/)

Good Luck

[marastafat]

Right okay, I understand the first bit about chaning the configure.php directive.

You lost me on some of the other stuff however. With regards to the server, it is actually my own server and perhaps unfortuntly I am teh one who has to maintain it. Its a debian box running apache, php, mysql etc. The SSL cert itself is a purchased SSL adn it is set up to run at https://secure.firefly-it.com/anyfolder in this case /catalog.

This said am I understanding corectly that I should set up short cuts or links to the files from inside the HTTPS directory so that they point to the files in the HTTP directory, (if so I have forgotted the commands is it lk -s 'name of shortcut' 'name and path of actual file' ?)

I don't know if I am getting this all right???

Also with regards to renaming the admin folder is there a reason for doing this? Or is it just an extra security precaution. If so am I right in saying that .htaccess is not totally secure?

Thanks again

Al

[jpf]

Also with regards to renaming the admin folder is there a reason for doing this? Or is it just an extra security precaution. If so am I right in saying that .htaccess is not totally secure?

It is just EXTRA security. I would rather have the person get a "404 - file does not exist" than "find" a vailid but secure "place" that is a point of posssable hacking.

HTACCESS is not totally secure - but then NOTHING is - other than a computer turned off, unpluged, locked in a valt (with NO combination) and dumped into a active volcano....

Proper seting up of htaccess will help - but it STILL could still be a point of entry(for hacking). Just make that point of entry hard to find/guess.

Who would guess it would be say:

https://secure.firefly-it.com/anyfol...in_for_my_site

A bit long but you get the point - who can guess that. Where as if a Hacker finds a OSC site and Knows it well, then https://secure.firefly-it.com/admin would be my first place to check to try hacking in.....

As for linking....
your close...

in the directory you want the link to be for (your https direcotry) run the following as root....
ln -s 'name_of_your_http_directory_to_link_to'