sbordun Posted September 3, 2017 Share Posted September 3, 2017 HI, The following bug was found on Prestashop 1.7.2.2. Conditions: 1) installed the self-signed SSL on my test server 2) Admin Portal settings "Enable SSL = YES" and "Enable SSL on all pages=NO". When I open the Admin Login page as HTTPS and login into it, the prestashop successfully login me, but openes the Dashboard as HTTP. The dashboard supposed to be opened as HTTPS! I have Prestashop 1.6 installed on the same server and do not have this logging issue. Please help me. Thanks, Link to comment Share on other sites More sharing options...
Scully Posted September 3, 2017 Share Posted September 3, 2017 Use .htaccess to force all to SSL - as simple solution. Or analyze the dashboard functions which leads to the Non-SSL request. The following rule should work for all domains since it does not contain a fixed name for domains. #### SCULLYS REDIRECT TO SSL, FORCE EVERYTHING! #### RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [L,R=301] #### DONE! #### Link to comment Share on other sites More sharing options...
vekia Posted September 3, 2017 Share Posted September 3, 2017 if you change address to https it still redirects to http ? Link to comment Share on other sites More sharing options...
sbordun Posted September 4, 2017 Author Share Posted September 4, 2017 if you change address to https it still redirects to http ? Yes, if I change the Admin login URL to https manually it is still redirects to http after successful login. To be 100% sure, I just downloaded the latest 1.7.2.2 prestashop and installed it. In Admin I enabled SSL. The issue is still persist. The issue could be resolved only by setting the "Enable SSL on all pages" to "YES". But I do not want to enforce Front-End to work with HTTPS. I need Front-End to work as HTTP, but Back-End to work as HTTPS. I could give you an access to my back-end for your investigation. And limited SSH access to my test server. How could I privately do it? Thanks Link to comment Share on other sites More sharing options...
sbordun Posted September 4, 2017 Author Share Posted September 4, 2017 (edited) Use .htaccess to force all to SSL - as simple solution. Or analyze the dashboard functions which leads to the Non-SSL request. The following rule should work for all domains since it does not contain a fixed name for domains. #### SCULLYS REDIRECT TO SSL, FORCE EVERYTHING! #### RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [L,R=301] #### DONE! #### your settings redirect all pages, even Front-End. I played with different once to redirect back-End. RewriteEngine On RewriteCond %{HTTP_HOST} !MYHOST_HIDDEN RewriteRule (.*) [L] RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_METHOD} !^POST$ And it partially helped. With the except that Admin uses POST sometimes and any POST request (update/insert/delete) failed. I believe that I found a bug, Edited September 4, 2017 by sbordun (see edit history) Link to comment Share on other sites More sharing options...
Scully Posted September 4, 2017 Share Posted September 4, 2017 (edited) But I do not want to enforce Front-End to work with HTTPS. I need Front-End to work as HTTP, but Back-End to work as HTTPS. I cannot imagine a situation where this would make sense. Not using SSL will become more and more a problem due to browser warnings poping up. It think we are not very far away from a point where browsers will no longer accept HTTP only when it comes to forms or login procedures. Edited September 4, 2017 by Scully (see edit history) Link to comment Share on other sites More sharing options...
sbordun Posted September 5, 2017 Author Share Posted September 5, 2017 I cannot imagine a situation where this would make sense. Not using SSL will become more and more a problem due to browser warnings poping up. It think we are not very far away from a point where browsers will no longer accept HTTP only when it comes to forms or login procedures. What about most common scenario when guest just navigates through products in the front-end . it is doesn't require SSL, simple HTTP is enough. Once the guest decided to go to checkout page, then it is time for SSL. Is it a Prestashop 1.7.2.2 bug when starting logging with SSL on admin page redirects to HTTP ? If it is NOT a bug, then why the Prestashop admin allows me to configure the following parameters? "Enable SSL = YES" and "Enable SSL on all pages=NO" Thanks Link to comment Share on other sites More sharing options...
bellini13 Posted September 5, 2017 Share Posted September 5, 2017 "Enable SSL = YES" and "Enable SSL on all pages=NO" Using these 2 options does exactly what you want it to... What about most common scenario when guest just navigates through products in the front-end . it is doesn't require SSL, simple HTTP is enough. Once the guest decided to go to checkout page, then it is time for SSL. However I would be more concerned about the usage of a self-signed SSL certificate. No customer in their right mind would trust it... 1 Link to comment Share on other sites More sharing options...
sbordun Posted September 6, 2017 Author Share Posted September 6, 2017 Using these 2 options does exactly what you want it to... However I would be more concerned about the usage of a self-signed SSL certificate. No customer in their right mind would trust it... I am in the development phase and using Self-signed certificate on DEV server Link to comment Share on other sites More sharing options...
bellini13 Posted September 6, 2017 Share Posted September 6, 2017 ok, so is this issue resolved, or is there still a problem? Link to comment Share on other sites More sharing options...
sbordun Posted September 7, 2017 Author Share Posted September 7, 2017 (edited) ok, so is this issue resolved, or is there still a problem? Why Prestashop has two parameters if it is impossible to use them since the admin login always redirects to HTTP from HTTPS if configure parameters like this : "Enable SSL = YES" and "Enable SSL on all pages=NO"? Is it not easier for Presta DEV team to remove the second parameter and leave the only one "SSL Enable" parameter to enable SSL on all pages instead of introducing bug and mislead users who worked with Prestashop v1.5 and v1.6 and remember how these parameters work without redirection? Thanks Edited September 7, 2017 by sbordun (see edit history) 1 Link to comment Share on other sites More sharing options...
bellini13 Posted September 8, 2017 Share Posted September 8, 2017 The back office does not redirect from HTTPS to HTTP, if yours does then you have added some customized redirect rule or code. I just proved this by disabling SSL in my prestashop back office, and then trying to access the back office. Even though SSL is disabled in my store, I can still navigate to my back office using HTTPS, and i do not get redirected to HTTP. Note: The 2 options are there by design to offer greater flexibility, you are not the only user of Prestashop, and there are many reasons to have both options available. Link to comment Share on other sites More sharing options...
sbordun Posted September 8, 2017 Author Share Posted September 8, 2017 (edited) The back office does not redirect from HTTPS to HTTP, if yours does then you have added some customized redirect rule or code. I just proved this by disabling SSL in my prestashop back office, and then trying to access the back office. Even though SSL is disabled in my store, I can still navigate to my back office using HTTPS, and i do not get redirected to HTTP. Note: The 2 options are there by design to offer greater flexibility, you are not the only user of Prestashop, and there are many reasons to have both options available. Could you do the following test steps in your 1.7 prestashop please? 1) Make sure that you have this parameters set up like this: "Enable SSL = YES" and "Enable SSL on all pages=NO" 2) Log off from Admin 3) go to HTTPS login Admin page and login In my case the next page (admin Dashboard) was opened as HTTP! How about your dashboard ? Thanks Edited September 8, 2017 by sbordun (see edit history) Link to comment Share on other sites More sharing options...
bellini13 Posted September 9, 2017 Share Posted September 9, 2017 works properly for me. It does not redirect me to HTTP Link to comment Share on other sites More sharing options...
sct Posted November 19, 2017 Share Posted November 19, 2017 (edited) On 08/09/2017 at 1:12 PM, bellini13 said: The back office does not redirect from HTTPS to HTTP, if yours does then you have added some customized redirect rule or code. I just proved this by disabling SSL in my prestashop back office, and then trying to access the back office. Even though SSL is disabled in my store, I can still navigate to my back office using HTTPS, and i do not get redirected to HTTP. Note: The 2 options are there by design to offer greater flexibility, you are not the only user of Prestashop, and there are many reasons to have both options available. It doesn't offer ANY flexibility if it doesn't work. I have the same problem on a fresh install of 1.7. The only way I can get the back end to hold https on a jump is if I set SSL to off. It seems that the only way to enable SSL in the back end is to disable it on the front completely by turning it off. Edited November 19, 2017 by sct (see edit history) Link to comment Share on other sites More sharing options...
sct Posted November 19, 2017 Share Posted November 19, 2017 On 08/09/2017 at 4:09 PM, sbordun said: Could you do the following test steps in your 1.7 prestashop please? 1) Make sure that you have this parameters set up like this: "Enable SSL = YES" and "Enable SSL on all pages=NO" 2) Log off from Admin 3) go to HTTPS login Admin page and login In my case the next page (admin Dashboard) was opened as HTTP! How about your dashboard ? Thanks Are you running in a subdirectory off root or in the root? Link to comment Share on other sites More sharing options...
bellini13 Posted November 20, 2017 Share Posted November 20, 2017 2 hours ago, sct said: It doesn't offer ANY flexibility if it doesn't work. I have the same problem on a fresh install of 1.7. The only way I can get the back end to hold https on a jump is if I set SSL to off. It seems that the only way to enable SSL in the back end is to disable it on the front completely by turning it off. It does offer flexibility and it does work, as I stated I tested this. It may not work for you and your store, and I won't bother to guess as to what exact version of prestashop you are using or what modules or customization's you may have made that could contribute to you having a different experience. Link to comment Share on other sites More sharing options...
sct Posted November 20, 2017 Share Posted November 20, 2017 8 hours ago, bellini13 said: It does offer flexibility and it does work, as I stated I tested this. It may not work for you and your store, and I won't bother to guess as to what exact version of prestashop you are using or what modules or customization's you may have made that could contribute to you having a different experience. Well, it's a completely fresh installation of 1.7.2.4 in a sub-directory off root on a server that meets all the requirements with 30 products added. There are no non-prestashop modules installed. SSL certificate is from Comodo. Link to comment Share on other sites More sharing options...
bellini13 Posted November 20, 2017 Share Posted November 20, 2017 (edited) and do you use nginx or apache. did you review the rewrite rules (depending on your webserver) in both your root folder and the subfolder to ensure there are no unexpected redirect rules in them that is doing this? every demo store I have for PS v1.7 is within a subfolder, and are completely un-custom installs. I am not redirected to http on any part of the site. Edited November 20, 2017 by bellini13 (see edit history) Link to comment Share on other sites More sharing options...
sct Posted November 22, 2017 Share Posted November 22, 2017 On 20/11/2017 at 0:27 PM, bellini13 said: and do you use nginx or apache. did you review the rewrite rules (depending on your webserver) in both your root folder and the subfolder to ensure there are no unexpected redirect rules in them that is doing this? every demo store I have for PS v1.7 is within a subfolder, and are completely un-custom installs. I am not redirected to http on any part of the site. Apache. There are no unexpected rewrite rules that I can see Link to comment Share on other sites More sharing options...
sct Posted November 22, 2017 Share Posted November 22, 2017 Installation has been moved to root and the same thing is happening. In fact here's the content of my .htaccess ======= # ~~start~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again # .htaccess automaticaly generated by PrestaShop e-commerce open-source solution # http://www.prestashop.com - http://www.prestashop.com/forums <IfModule mod_rewrite.c> <IfModule mod_env.c> SetEnv HTTP_MOD_REWRITE On </IfModule> RewriteEngine on #Domain: XXX.XXXXXXXXX.XXX RewriteRule . - [E=REWRITEBASE:/] RewriteRule ^api$ api/ [L] RewriteRule ^api/(.*)$ %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L] # Images RewriteRule ^([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$1$2$3.jpg [L] RewriteRule ^([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$1$2$3$4.jpg [L] RewriteRule ^([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$1$2$3$4$5.jpg [L] RewriteRule ^([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg [L] RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg [L] RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg [L] RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg [L] RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg [L] RewriteRule ^c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2$3.jpg [L] RewriteRule ^c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2.jpg [L] # AlphaImageLoader for IE and fancybox RewriteRule ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 [L] # Dispatcher RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ %{ENV:REWRITEBASE}index.php [NC,L] </IfModule> AddType application/vnd.ms-fontobject .eot AddType font/ttf .ttf AddType font/otf .otf AddType application/font-woff .woff AddType font/woff2 .woff2 <IfModule mod_headers.c> <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|svg)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch> </IfModule> <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType text/css "access plus 1 week" ExpiresByType text/javascript "access plus 1 week" ExpiresByType application/javascript "access plus 1 week" ExpiresByType application/x-javascript "access plus 1 week" ExpiresByType image/x-icon "access plus 1 year" ExpiresByType image/svg+xml "access plus 1 year" ExpiresByType image/vnd.microsoft.icon "access plus 1 year" ExpiresByType application/font-woff "access plus 1 year" ExpiresByType application/x-font-woff "access plus 1 year" ExpiresByType font/woff2 "access plus 1 year" ExpiresByType application/vnd.ms-fontobject "access plus 1 year" ExpiresByType font/opentype "access plus 1 year" ExpiresByType font/ttf "access plus 1 year" ExpiresByType font/otf "access plus 1 year" ExpiresByType application/x-font-ttf "access plus 1 year" ExpiresByType application/x-font-otf "access plus 1 year" </IfModule> <IfModule mod_headers.c> Header unset Etag </IfModule> FileETag none <IfModule mod_deflate.c> <IfModule mod_filter.c> AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/x-javascript font/ttf application/x-font-ttf font/otf application/x-font-otf font/opentype image/svg+xml </IfModule> </IfModule> #If rewrite mod isn't enabled ErrorDocument 404 /index.php?controller=404 # ~~end~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now