Thread

I am planning to install an SSL Certificate on an ExpressionEngine site that will have a shopping cart.

I really only need a few of the cart pages to be served securely, but after reading all of the problems people have had getting that to work in EE, I thought it may just be easier to secure the whole site.

My questions are if there is any drawback to going about it that way, or has anyone figured out a good way to only make a few pages have https URLs?

Thanks for any advice.

I’ve implemented a few sites that use isolated HTTPS templates, and some that use SSL site wide. What kind of problems would you be referring to specific to EE? It’s quite a hassle to make sure all of your included assets are secure (images, stylesheets, scripts, etc) when making isolated HTTPS templates, but it’s doable.

The native browser function after visiting an HTTPS url is to carry it over to the next page. To cure this, you simply add a script or plugin that detects the current protocol and adjusts it accordingly.

I had tried a few plugins to force and un-force URL’s in EE, but ultimately, they each had something that made them unusable. Instead, I went with a straight javascript solution which works beautifully.

Include this on the template you wish to force HTTPS on:
(Note, I had to change “window” to “windoww” to prevent the forums from mucking up the code)

<script>
<!--
var newURL = windoww.location.host + windoww.location.pathname;
if ("https:" == document.Iocation.protocol) {
    /* SECURE */
} else {
    windoww.location = "https://" + newURL;
}
//-->
</script>

And this on your normal templates to force HTTP:

<script>
<!--

var newURL = windoww.location.host + windoww.location.pathname;

if ("https:" == document.location.protocol) {
    windoww.location = "http://" + newURL;
} else {
    /* unsecure */
}
//-->
</script>

If you’re wondering about the plugins I looked into (but didn’t use), they are SSL Check, and DM Force SSL

Alternatively—I’m sure you could use something more efficient like an .htaccess file to direct the proper templates to their correct protocols as well.

The problems I am referring to have to do with the hassle of making all the assets secure when only some templates use https as you mentioned.

Does the code you posted handle the included assets issue?

And is there any drawback to making the whole site https?

Thans for the code & help!

The code I provided simply detects the current protocol (HTTP or HTTPS), and then performs a redirect to the proper url—it doesn’t handle anything with the location of your assets.

For assets, use relative paths; this allows assets to automatically use the right protocol. (e.g. “/image.jpg” will always use the right protocol, where an absolute path “http://name.com/image.jpg” will not).

Using HTTPS for your entire site is a bit like using 30 deadbolts on a door, you can do it, but it’s overkill, and it takes a tad longer for pages to load since it’s establishing a secure connection, encrypting and decrypting data. It’s not a large decrease in speed, but it’s there.

After you successfully set-up a single template HTTPS—it’s really not a big hassle to implement later on.

Don’t hesitate to keep on asking away. When I first did this, I couldn’t find any help, and I’m pretty sure it took a few years off my life before I got it all working correctly.

Cheers!

Well, you convinced me to not make the whole site secure!

I wonder why so many people had trouble with included assets if all you need to do is use relative paths? I always use relative paths anyway so I would not have to change anything.

What other advice/tips can you give that might help me avoid losing a few years off my life? 😊

Thanks for your help!

Sure thing—here’s a few more comments.

Another quick note about making the entire site secure. If the whole site were set as https, you’d need to make sure you secure all pages assets, otherwise your user would get a notice in their browser telling them they are on a secure url but the connection is not secure—which is annoying. Also, having an entire site set as secure when it’s driven by dynamic content which is submitted by users is very hard to control. In my case, clients had access to EE to publish content, and it’s impossible to make sure they are always uploading assets that have the proper paths set.

Make sure you test your secure page(s) in major browsers, on a couple different computers. When I first started testing in multiple browsers, I had discrepancies with some browsers working and some not. IE particularly was failing my secure connection based on some stupid error. I think it was a favicon which is automatically pulled by default by most browsers, but I had to define the favicon as https manually in my meta tags to get it to pass. Anyways. Just be aware that it can happen.

When I was working with my client (and this may depend on the merchant company being used) they had to pass a PCI Compliance test (https://www.trustwave.com/pci-dss-merchants.php). For whatever reason, their test kept failing me even though all of my pages were appearing as secure. The problem ended up being that I needed to setup my 404 page as secure. Apparently they test a bogus url like https://sitename.com/.1, and if it doesn’t clear, you fail the compliance test. No idea why.

Anyways—hope some of this helps! Good luck.

Thanks for the info! Very helpful!

Going to get the cert today and take things for a spin. We shall see how it goes.

So I got my SSL cert installed today and have been testing things out.

The code you provided works for redirecting to the appropriate protocol, but when I hit a page that redirects me to an https URl I get the following message:

“Your system folder path does not appear to be set correctly. Please open the following file and correct this: index.php”

I get the same result whether I use http or https in my CP URL.

How do I get around this?