AbanteCart Community

Shopping Cart Operations => Security => Topic started by: llegrand on April 24, 2015, 05:44:50 PM

Title: https sitewide – admin panel has mixed usage warnings
Post by: llegrand on April 24, 2015, 05:44:50 PM

With Google’s push to have sites all under https:// we moved to this model with the updates to version 1.2.1 for all of our sites.   The fix you provided for the storefront and the home directory solved that issue. That fix is here:   
https://github.com/abantecart/abantecartsrc/commit/bbb2be7693681e064036f31aa7b39afd71560577 (https://github.com/abantecart/abantecartsrc/commit/bbb2be7693681e064036f31aa7b39afd71560577)
 We do have to remove the Donate button from all pages in order for the SSL to not have warnings, but since most folks probably remove that from their site, not much of an issue.

 HOWEVER, the admin panel is a bit problematic - we are finding lots of calls to http://  that we are having go and edit the code.   We could provide you with a list of where we’ve altered – it even includes the ico file.   ;)
But what I would really like to reqest, is that as you move to the next versions 1.2.2 and forward can you please make the default codes work with https:// pages across the entire site.   That would assist everyone as they begin to follow the big G"s wishes.
Thanks for considering.
Lee

 
 
 

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: Gordon Taylor on April 24, 2015, 08:50:23 PM

Great post Lee, and as you say, since Google is giving more weight (or whatever) to sites behind the https then we need to get this fixed ASAP. This will be especially important for newbies that don't modify the footer or don't turn off the donate button. You can't get a padlock in FF with that code active, the PayPal image is being called from an non-secure server, as an example.

I've used sites like https://www.whynopadlock.com/ to suss out some of the issues and just plain found them on my own. Another issue I noticed  with this subject is that sometimes the archived images that one adds during product building are not behind the secure side. Even thought the https address website address is in the correct place withing Admin>settings. In fact it seems to be random.

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: eCommerce Core on April 27, 2015, 12:49:17 PM

We are checking this. Will update soon...

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: eCommerce Core on April 27, 2015, 01:23:56 PM

I have updated Donation button for 1.2.2.

Regarding Admin panel, we will work on making it 100% HTTPs. This will take some time. 

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: llegrand on April 27, 2015, 01:48:51 PM

Excellent,  thank you, I appreciate the forward thinking on Abantecart - always trying to make it better and it is already really great!

Cheers
Lee

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: Gordon Taylor on April 27, 2015, 02:49:41 PM

Hey thanks eCC .... really appreciate your hard work.

Gordon

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: abantecart on April 27, 2015, 05:48:00 PM

This is a commit with modifications with admin fixes for HTTPs
https://github.com/abantecart/abantecart-src/commit/cae9c30a064ccf135078318d50559e2ecd34d41a

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: Gordon Taylor on April 27, 2015, 09:39:51 PM

Thank you Pavel, everyone will love it!

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: webdevmerc on September 01, 2015, 01:23:36 PM

Hi, could someone test this fix in their environment and see if it introduced a new bug?

I replaced all 9 of my Abantecart 1.2.3 files with these 9 and noticed that on a product page, the 1st image would load up ok, but if I click on any other images, it would open up in a very narrow window.  If I try to reopen the 1st image, it has the same problem.

My site does have a RewriteCond forcing all https traffic so I don't know if that's the cause...


I then replaced these new files with the original Abantecart 1.2.3 (Jul 21st) files and the images are working correctly again.

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: llegrand on September 01, 2015, 03:57:13 PM

Hi, Web Dev,  I believe those fixes on the github cited were for 1.2.2  and the improvement to https handling did come out when 1.2.2 was released.  And to the best of my testing 1.2.3 has the improved https handling already in it.  Therefore doubt if replacing the files is a good thing.

I use rewrite conditions to redirect to the https/ on my sites without issues since the 1.2.2.

What's happening on your site that is causing you issues? 

Lee

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: webdevmerc on September 01, 2015, 04:03:39 PM

Oh, ok...My problem is when testing with Cloudflare, it has mixed secure content warnings which maybe a Cloudflare/cdn thing, but I tried these (apparently) old files which causes other issues.

I also force HTTPS in my .htaccess, but web testing sites seem to complain that an endless redirect loop is there when Cloudflare is enabled...

Title: Re: https sitewide – admin panel has mixed usage warnings
Post by: Basara on September 03, 2015, 09:01:45 AM

When you apply any changes in code or redirects make sure to purge Cloudflare cdn cache.
Also Cloudflare has different cache levels try to play with different settings