I have been trying to force HTTPS on my osCommerce site and it works. But when it switched to HTTPS, the session breaks and login doesn't work at all.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The way to force HTTPS on all your pages in an osCommerce site is to use what's already set up for you in the configuration instead of making .htaccess do the work.
Edit the includes/configure.php file and put the HTTPS version of your site in both of the following:
define('HTTP_SERVER', 'https://example.com');
define('HTTPS_SERVER', 'https://example.com');
In
/includes/configure.phpmodify the HTTP DOMAIN to have
https://That will make all sessions stay https only. Do the same in
/admin/includes/configure.phpIt builds upon the other answers for mod_rewrite which you should do.
I would also add the HTTP STRICT TRANSPORT SECURITY header and XSS protection, too.
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header unset X-Powered-By Header unset Server Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" <FilesMatch "\\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$"> Header unset X-XSS-Protection </FilesMatch> </ifModule>
Are you definitely using Apache?
Try this instead in your .htaccess
...
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I'm not sure if this is directly related to your problem, but I would suggest to make sure that all the forms, links and Location
headers aimed within your site point to URLs using an https
prefix, if those are absolute.
The rewrite rules that turn HTTP requests into HTTPS are only really useful for securing the "entry point": the first page that the user visits. It doesn't prevent data to be sent in clear if that data is sent to a URL that uses http://
. Indeed, these rewrite rules only come into action after the browser has made the request in clear first (so all headers, including login cookies, unless secure cookies, and all the POSTed data, for example, will have been sent in clear).
You may be interested in these related questions:
There's a chance that the sessions break because there's a seemingly invisible plain HTTP connection in the process, which may cause some session-related data not to be transmitted correctly. If you're using Firefox, it can be useful to turn on the security.warn_leaving_secure
option (via about:config
URL) to track this sort of problems.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.