Forced HTTPS on osCommerce breaks sessions and logins

Question

I have been trying to force HTTPS on my osCommerce site and it works. But when it switched to HTTPS, the session breaks and login doesn't work at all.

.htaccess code for forcing HTTP

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Answer 1

The way to force HTTPS on all your pages in an osCommerce site is to use what's already set up for you in the configuration instead of making .htaccess do the work.

Edit the includes/configure.php file and put the HTTPS version of your site in both of the following:

define('HTTP_SERVER', 'https://example.com'); 
define('HTTPS_SERVER', 'https://example.com'); 

Answer 2

In

/includes/configure.php

modify the HTTP DOMAIN to have

 https://  

That will make all sessions stay https only. Do the same in

 /admin/includes/configure.php  

It builds upon the other answers for mod_rewrite which you should do.

I would also add the HTTP STRICT TRANSPORT SECURITY header and XSS protection, too.

 <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header unset X-Powered-By Header unset Server Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" <FilesMatch "\\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$"> Header unset X-XSS-Protection </FilesMatch> </ifModule> 

Answer 3

Are you definitely using Apache?

Try this instead in your .htaccess ...

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Answer 4

I'm not sure if this is directly related to your problem, but I would suggest to make sure that all the forms, links and Location headers aimed within your site point to URLs using an https prefix, if those are absolute.

The rewrite rules that turn HTTP requests into HTTPS are only really useful for securing the "entry point": the first page that the user visits. It doesn't prevent data to be sent in clear if that data is sent to a URL that uses http:// . Indeed, these rewrite rules only come into action after the browser has made the request in clear first (so all headers, including login cookies, unless secure cookies, and all the POSTed data, for example, will have been sent in clear).

You may be interested in these related questions:

• How to redirect all HTTP requests to HTTPS
• Tomcat session management - url rewrite and switching from http to https

There's a chance that the sessions break because there's a seemingly invisible plain HTTP connection in the process, which may cause some session-related data not to be transmitted correctly. If you're using Firefox, it can be useful to turn on the security.warn_leaving_secure option (via about:config URL) to track this sort of problems.