How to configuration TomatoCart to work with SSL

1.Secure private information between the web servers and the customers as they browse the site by using encryption.

2.Secure the administration console so sensitive passwords, credit card numbers, and customer data cannot be intercepted.

3.Provide a Secure Seal on the site that shows customers that the site protects their data and that this is a legitimate company.

Comparing to HTTP protocol the HTTPS requires an initial handshake which can be very slow; therefore TomatoCart only uses SSL for the sections which are necessary including: my account area, checkout area and administration panel.

Shared SSL vs. Private/Dedicated SSL

With private SSL user must purchase his own SSL certificate and have a dedicated I.P. address to run the SSL server on. With private SSL you get a secure URL like https://www.thewebsite.com/ and the web hosting companies name is not included in the URL with private SSL.

Some web hosting providers offer shared SSL so that the customers get the benefits of SSL without the costs that are usually associated with setting up a SSL server. With shared SSL people uses the provider’s SSL certificate instead and will get a secure URL like https:// providerhost.com/~username.

The Installation of Private SSL for TomatoCart is quite different from Shared SSL. We will talk about the details in the following chapter.

Install Private/Dedicated SSL

This section will explain how to install SSL for TomatoCart step by step:

Step 1: Purchase your own SSL and install on Server

The first step is to get a SSL certificate and install the certificate on the web server. Normally there are three steps involved:

1.The first step is to contact your host service provider to get a certificate signing request form (CSR). The information in the CSR must match the whois information for the domain which the certificate is applied.

2.The second step is to purchase the SSL Certificate from the SSL provider.

3.The third step is to forward this SSL certificate to the host service provider, the administrator will install the SSL certificate on the server.

Step 2: Update the Configuration file

After the SSL certificate is installed, the “configure.php” file has to be updated to enable SSL. The code shown below is the configuration options in the “configure.php” file. The ‘ENABLE_SSL’ constant must be set to true and in the “HTTPS_SERVER” the “https” protocol must be used.

<?php

define('HTTP_SERVER','http://www.thewebsite.com');

define('HTTPS_SERVER','https://www.thewebsite.com');

define('ENABLE_SSL',true);

define('HTTP_COOKIE_DOMAIN','www.thewebsite.com');

define('HTTPS_COOKIE_DOMAIN','www.thewebsite.com');

?>

Step 3: Upload the configuration file to server

Install Shared SSL

The shared SSL is offered by the web hosting provider; therefore we do not have to purchase the SSL certificate; so we directly start from updating the configuration file.

Step 1: Update the Configuration file

The code shown below is the configuration options in the “configure.php” file. The ‘ENABLE_SSL’ constant is again set to true. The “HTTPS_SERVER” is changed to URL provided by hosting provider. Consequently the “HTTS_COOKIE_DOMAIN” is change to hosting provider domain.

<?php

define('HTTP_SERVER','http://www.thewebsite.com');

define('HTTPS_SERVER','https://www.providerhost.com/~username');

define('ENABLE_SSL',true);

define('HTTP_COOKIE_DOMAIN','www.thewebsite.com');

define('HTTPS_COOKIE_DOMAIN','providerhost.com');

define('HTTP_COOKIE_PATH','/');

define('HTTPS_COOKIE_PATH','/');

?>

Step 2: Update the SSL status check code in application_top.php file

The code below that tests whether the SSL is active or not in the “includes/application_top.php” and “admin/includes/application_top.php” does not work for shared SSL; That’s to say the SSL status can not be detected. This is due to the wrong value in the $_SERVER environment variables.

// set the type of request (secure or not)

$request_type =(isset($_SERVER['HTTPS'])&&(strtolower($_SERVER['HTTPS'])=='on'))?'SSL':'NONSSL';

If the shared SSL is used, the SSL status check code has to be changed to:

// set the type of request (secure or not)

$request_type =((isset($_SERVER['HTTPS'])&&(strtolower($_SERVER['HTTPS'])=='on'||$_SERVER['HTTPS']=='1'))||($_SERVER['SERVER_PORT']=='443')||($_SERVER['HTTP_HOST']=='providerhost.com'))?'SSL':'NONSSL';

Please note: the “HTTP_HOST” should be the host name offered by web hosting provider. In this example the domain providerhost.com is a dummy data, you should change this to the real domain.

 

 

Leave your comments

Post comment as a guest

0 / 300 Character restriction
Your text should be in between 10-300 characters
terms and condition.
  • No comments found

Get The Latest Browsers

firefoxLogo

google

News Letter

Sign up for news letter