How to Configure TomatoCart to Work with SSL
Written by Jack Yin Saturday, 20 October 2012
SSL stands for secure sockets layer, it uses a cryptographic system to create a secure connection between client and web server. The SSL protocol is used by millions of online stores to serve three primary functions:
- Secure private information between the web servers and the customers as they browse the site by using encryption.
- Secure the administration console so sensitive passwords, credit card numbers, and customer data cannot be intercepted.
- Provide a Secure Seal on the site that shows customers that the site protects their data and that this is a legitimate company.
Comparing to HTTP protocol the HTTPS requires an initial handshake which can be very slow; therefore TomatoCart only uses SSL for the sections which are necessary including: my account area, checkout area and administration panel.
For detailed information about SSL please refer to this.
Shared SSL vs. Private/Dedicated SSL
With private SSL user must purchase his own SSL certificate and have a dedicated IP address to run the SSL server on. With private SSL you get a secure URL like https://www.thewebsite.com/ and the web hosting companies name is not included in the URL with private SSL.
Arvixe offers a shared SSL so that the customers get the benefits of SSL without the costs that are usually associated with setting up a SSL server. With shared SSL people uses the servers SSL certificate instead and will get a secure URL like https://server.arvixe.com/~username.
The Installation of Private SSL for TomatoCart is quite different from Shared SSL. We will talk about the details in the following chapter.
Install Private/Dedicated SSL
This section will explain how to install SSL for TomatoCart step by step:
Step 1: Purchase your own private SSL from Arvixe, and receive free installation!
Please note that a dedicated IP is required for an SSL to function.
Step 2: Update the Configuration file
After Arvixe installs the SSL certificate, the “configure.php” file has to be updated to enable SSL. The code shown below is the configuration options in the “configure.php” file. The ‘ENABLE_SSL’ constant must be set to true and in the “HTTPS_SERVER” the “https” protocol must be used.
define('HTTP_SERVER', 'http://www.thewebsite.com'); define('HTTPS_SERVER', 'https://www.thewebsite.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'www.thewebsite.com'); define('HTTPS_COOKIE_DOMAIN', 'www.thewebsite.com');
Step 3: Upload the configuration file to server
Install Shared SSL
The shared SSL is offered by the Arvixe; therefore we do not have to purchase the SSL certificate; so we directly start from updating the configuration file.
Step 1: Update the Configuration file
The code shown below is the configuration options in the “configure.php” file. The ‘ENABLE_SSL’ constant is again set to true. The “HTTPS_SERVER” is changed to URL provided by hosting provider. Consequently the “HTTS_COOKIE_DOMAIN” is change to hosting provider domain.
define('HTTP_SERVER', 'http://www.thewebsite.com'); define('HTTPS_SERVER', 'https://server.arvixe.com/~username'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'www.thewebsite.com'); define('HTTPS_COOKIE_DOMAIN', 'server.arvixe.com'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/');
Step 2: Update the SSL status check code in application_top.php file
The code below that tests whether the SSL is active or not in the “includes/application_top.php” and “admin/includes/application_top.php” does not work for shared SSL; That’s to say the SSL status cannot be detected. This is due to the wrong value in the $_SERVER environment variables.
// set the type of request (secure or not) $request_type = (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on')) ? 'SSL' : 'NONSSL';
If the shared SSL is used, the SSL status check code has to be changed to:
// set the type of request (secure or not) $request_type = ((isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == '1')) || ($_SERVER['SERVER_PORT'] == '443') || ($_SERVER['HTTP_HOST'] == 'server.arvixe.com')) ? 'SSL' : 'NONSSL';
Please note: the “HTTP_HOST” should be the host name offered by web hosting provider. In this example the domain server.arvixe.com is a dummy data, you should change this to the real domain.