Controlling Magento Secure Sections with Htaccess

Forum Moderators: phranque

Message Too Old, No Replies

Controlling Magento Secure Sections with Htaccess

Looking for aid in controlling how https behaves on a Magento installation

GF_Diablos

12:59 pm on Oct 11, 2010 (gmt 0)

Hey Guys

I am using a Magento installation with the one step checkout plugin meanning I have very few pages that need https, I want to control https search indexing and user access by redirecting the whole https version of the site except of course for the secure checkout.

This is what I have so far but the https is not kicking in on the checkout page with this code, the redirect works in all other case (i.e. I send index https to index http) just the exception that is broken

#Redirect HTTPS to HTTP except checkout 
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^onestepcheckout
RewriteRule ^(.*)$ http://www.mysite.co.uk/$1 [R=301,L]

#Require SSL on checkout
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^onestepcheckout\/?$
RewriteRule ^(.*)$ https://www.mysite.co.uk/$1 [R=301,L]

Although I use htaccess a lot this is quite a complex one for my none programmer head to handle so any suggestions on how to fix it would be great.

sublime1

2:02 am on Oct 12, 2010 (gmt 0)

Hi --

Keep in mind that just because a page uses HTTPS it doesn't necessarily mean it requires a userid and password. Google will crawl unsecured HTTPS pages.

I had the unfortunate experience of using Magento for a while. My first instinct would be to quickly warn you away from the product if it is not too late -- my team and I are not the only ones to conclude that the product simply makes a pretense of being free and open source, and that installation of plugin modules, even if free, prevent the product from successfully upgrading itself, and on, and on (Google "magento sucks" for a taste of what others have encountered).

But if this is the card of hands you have been dealt, here's my advice.

Rather than using .htaccess, I strongly encourage you to use the features that are available in the product for what you're trying to accomplish. We also used the one page checkout, and I believe were able to accomplish the goal you describe without messing with .htaccess.

I think you will find options in the Magento admin user interface to control which pages are and are not delivered over https.

Within the Magento installation, there is an awkward combination of .htaccess files (several, at least in our installation) as well as a settings.php file, and entries in the database -- all of these together determine whether a given page is HTTPS vs HTTP, and also which parts of the site require authentication. My recollection is that there are some options to turn off HTTPS for category and product pages.

Good luck.

Tom

GF_Diablos

6:29 am on Oct 12, 2010 (gmt 0)

Hey sublime1, thanks for the reply.

I will take a closer look at some of the admin options but have a sneaking suspicion that the devs have turned them on for a reason so I may have to go have a chat with them.