Introduction
SSL stands for secure sockets layer, it uses a cryptographic system to create a secure connection between client and web server. The SSL protocol is used by millions of online stores to serve three primary functions:
- Secure private information between the web servers and the customers as they browse the site by using encryption.
- Secure the administration console so sensitive passwords, credit card numbers, and customer data cannot be intercepted.
- Provide a Secure Seal on the site that shows customers that the site protects their data and that this is a legitimate company.
Comparing to HTTP protocol the HTTPS requires an initial handshake which can be very slow; therefore TomatoCart only uses SSL for the sections which are necessary including: my account area, checkout area and administration panel.
For detailed information about SSL please refer to:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame2.doc_5.1/ss7aumst18.htm
Shared SSL vs. Private/Dedicated SSL
With private SSL user must purchase his own SSL certificate and have a dedicated I.P. address to run the SSL server on. With private SSL you get a secure URL like https://www.thewebsite.com/ and the web hosting companies name is not included in the URL with private SSL.
Some web hosting providers offer shared SSL so that the customers get the benefits of SSL without the costs that are usually associated with setting up a SSL server. With shared SSL people uses the provider’s SSL certificate instead and will get a secure URL like https:// providerhost.com/~username.
The Installation of Private SSL for TomatoCart is quite different from Shared SSL. We will talk about the details in the following chapter.
Install Private/Dedicated SSL
This section will explain how to install SSL for TomatoCart step by step:
Step 1: Purchase your own SSL and install on Server
The first step is to get a SSL certificate and install the certificate on the web server. Normally there are three steps involved:
- The first step is to contact your host service provider to get a certificate signing request form (CSR). The information in the CSR must match the whois information for the domain which the certificate is applied.
- The second step is to purchase the SSL Certificate from the SSL provider.
- The third step is to forward this SSL certificate to the host service provider, the administrator will install the SSL certificate on the server.
Step 2: Update the Configuration file
After the SSL certificate is installed, the “configure.php” file has to be updated to enable SSL. The code shown below is the configuration options in the “configure.php” file. The ‘ENABLE_SSL’ constant must be set to true and in the “HTTPS_SERVER” the “https” protocol must be used.
Step 3: Upload the configuration file to server
Install Shared SSL
The shared SSL is offered by the web hosting provider; therefore we do not have to purchase the SSL certificate; so we directly start from updating the configuration file.
Step 1: Update the Configuration file
The code shown below is the configuration options in the “configure.php” file. The ‘ENABLE_SSL’ constant is again set to true. The “HTTPS_SERVER” is changed to URL provided by hosting provider. Consequently the “HTTS_COOKIE_DOMAIN” is change to hosting provider domain.
define('HTTP_SERVER', 'http://www.thewebsite.com');
define('HTTPS_SERVER', 'https://www.providerhost.com/~username');
define('ENABLE_SSL', true);
define('HTTP_COOKIE_DOMAIN', 'www.thewebsite.com');
define('HTTPS_COOKIE_DOMAIN', 'providerhost.com');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');Step 2: Update the SSL status check code in application_top.php file
The code below that tests whether the SSL is active or not in the “includes/application_top.php” and “admin/includes/application_top.php” does not work for shared SSL; That’s to say the SSL status can not be detected. This is due to the wrong value in the $_SERVER environment variables.
// set the type of request (secure or not)
$request_type = (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on')) ? 'SSL' : 'NONSSL';If the shared SSL is used, the SSL status check code has to be changed to:
// set the type of request (secure or not)
$request_type = ((isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == '1')) || ($_SERVER['SERVER_PORT'] == '443') || ($_SERVER['HTTP_HOST'] == 'providerhost.com')) ? 'SSL' : 'NONSSL';Please note: the “HTTP_HOST” should be the host name offered by web hosting provider. In this example the domain providerhost.com is a dummy data, you should change this to the real domain.