Is there way to disable the secure login/registeration/forgot password alone, but all other pages like checkout customer dashboard area can use https but i want to disable secure url for only customer login/registeration/forgot pages, i checked on custome r module /etc/config.xml but couldnot find anything like that.
Please help me
Thanks in advance.
First you'll want to do all this from app/code/local/ of course!
With that being said you'll need to extend/edit app/code/core/Mage/Customer/etc/config.xml:
<secure_url>
<customer>/customer/account/</customer>
</secure_url>
...and remove it.
Next you'll need to edit/extend app/code/Core/Mage/Customer/Helper/Data.php:
and modify the _getUrl()'s to force using secure url on the pages you want it to be secure:
return $this->_getUrl('customer/account', array('_secure' => true));
NOTE: Like everyone else mentioned this isn't exactly a good idea from a security stand point.
Hope this helps!
Did you think that Login pages are accessed via HTTPS for a reason? The reason is to protect them from modification. Removing HTTPS will open a huge security hole and will cause leakage of passwords of your web site visitors.
So, you should overload the blocks that contents url links and rework it to get urls witout http. But the good is to use in your box the iframes.
Related
for magento when i go to www.mydomain.com/admin, it will redirect to https://www.mydomain.com/home/index.php/admin/. error 404. I think this is unsecured url issue. how to solve this?
just try with below solution to change value in core_config_data data
find this web/secure/base_url and change with simple http or https
or if you have multiple store or view you can change according to that.
Also please don't forget to clear your cache.
hope this will sure help you.
I was wondering if anyone could help me with the following issue. On our Magento site, enterprise version 1.10.1.1, a user may log in, and it will say another person's name. Then, if you click on another link, it might go back to your name. The user sessions are clearly being confused. Apparently, this is a full-page caching problem, because our full page cache is often invalidated and, if we turn it off, the user sessions no longer mix up. However, turning it off considerably slows down the site. Switching the sessions from db storage to file storage (and vice versa) did not fix the issue. Does anyone know what the problem could be or how to solve it?
Thanks very much,
Brenda
You should check with Magento for a patch. I had a similar problem with Gift Certificate field info getting mixed up between sessions. They provided a patch that resolved the problem.
In the header.phtml file you should use this to print the user name
<?php echo $this->getChildHtml('welcome') ?>
Then, you can override the block 'Mage_Page_Block_Html_Welcome' if you wanna customize your message.
this happens when you use "Full Page Cache" because by default, magento exclude some blocks of the full page cache, and the block 'welcome' is one of they. if you are using customization code and message, the user name will be cached too, and other users will see different user names in this section.
it can be dependence on the cache issue. Try to turn cache off (go to admin, system, cache management and disable all cache).
If issue gone - you need to check cache configuration. If not - you have really session issue.
BTW, where you store sessions (files or DB or memcached?)
I found the cause related to Enterprise_PageCache_Model_Processor_Default class, my way is disable it in config.xml, edit src\app\code\core\Enterprise\PageCache\etc\config.xml:
<requests>
<!-- <cms>enterprise_pagecache/processor_default</cms>-->
</requests>
This problem was probably caused by Magento not being able to set proper session parameters if it was behind a reverse proxy cache like Varnish (I bet it was the case). Whenever using an intermediate caché system you have to make sure you are using the apropiate module in Apache to forward the X_FORWARDED_FOR http header to Magento like mod_rpaf, otherwise Magento will see al requests coming from the same IP and it will not be able to determine correct session isolation as it will think all requests come from the same client.
For some reason, when I log into my joomla 1.6 backend, it is now empty, displaying only a logout button. Any Ideas?
I just went through the same problem but on J!1.7.3. There may be many, many reasons but please check using just URL if you can see for example:
[YourDomainHere]/administrator/index.php?option=com_content or
[YourDomainHere]/administrator/index.php?option=com_modules
If content is listing and you're missing just Admin-menu and sub-navigation in back-end --> this means you messed-up with access levels and viewing access.
If you can't see content listing - ignore the rest of this post :-)
...with access levels and viewing access. To check that, try entering [YourDomainHere]/administrator/index.php?option=com_users&view=levels and enter each position in the list. Joomla backend navigation module usually has Access set to Special, so focus on this one. When enter Special - manager, author and super administrator should be ticked. If everything empty in any from the list - this is your issue :)
You need to add manager, author and super administrator to your Special access level. Obviously you can't see Save button, so you need to use database. [wrrr :) sounds scary?] Not a big deal, just go there using for example phpMyAdmin and find _viewlevels table. In there just edit Special and add [6,2,8] values to set up manager, author, super.....
Update database. Try to log-in one more time (close browser and clean cache before).
I hope if this wasn't helpful for you, will be for somebody else.
p.s. There may be a way of 'saving' changes in you joomla access levels with URL. Then you don't need to go to DB .. but I don't know if this is feasible at all :)
Check the rewrite of htaccess and the $mosConfig_absolute_path variable in config.php
Apparently, the Bluestork Template (admin template) has some security issues. In my case there were some missing files in the template folder /administrator/templates/bluestork/ that caused the administrator screen to appear blank. I've copied a clean version of the template in the bluestork folder and after that I was able to see the backend admin area.
I've removed the bluestork templates entirely for now, which seems to be the best option. Joomla installs 2.5.8, 2.5.6, 2.5.2, 1.7.0, 1.6.3 are affected. The Blustork Template is a target for hacks with old Joomla.
this happening becoz of admin user lost his permissions. see below article to fix this issue
http://www.codentalk.com/joomla-admin-showing-blank-page/
I've searched high and low for a solution to this, with no luck. My host told me they are too busy to help.
Magento 1.4.2 // SSL cert
1- When I add an item to cart, the page reloads and my item is added to cart. [good]
2- Next, I click home, and my items are no longer visible in cart sidebar. [bad]
3- Next, I click "Tops", and my items are still not visible in cart sidebar. [bad]
4- Next , I click "Bottoms" and the items show just fine.
In all cases where the cart isn't visible, I can add https to the URL and the cart loads up just fine. Can anyone help me figure out why my session is being lost between http and https?
I have all my backend web cookie settings set to "no" except for sID.
Also- When a user is logged in, the cart items ALWAYS show on the right. It's only screwy if they're a guest.
Thanks guys, if you need me to post any code let me know.
wwwdotlylifdotcom
EDIT: Here is a screenshot of my cookies session in firebug (not exactly sure what I am looking at). Hope this helps.
And here is my Session settings in magento: I have tried just about every variation of turning these on and off.
EDIT!
This issue has actually been narrowed down to a cache issue. We found out that when the cache is dumped/deleted, the website works properly. But after a few minutes of surfing the problem happens again. Does anyone have any idea? (And should i change the question title?)
I'm using a module called Lightspeed from TinyBrick, and it seems the new cache options are messing with our site. =( I'm contacting them shortly.
**EDIT Tinybricks excellent support helped us out. Thanks for all of your suggestions.
Is the session cookie being set to be HTTPS-only? That'll prevent it from being carried over to regular HTTP requests, effectively giving the user two different sessions.
You have in your screenshot two frontend cookie with two domains, one with www and an other one without. Check if you have a correct domain name in the configuration > Web tab > Cookie Management > Cookie Domain (or something close to that). If it's empty set it to ".mydomain.com" and try again.
Check if you don't have different cookie domain in your configuration in the other store views, set them to "use website".
If still doesn't work, What are the values of the fields of cookie management and the cookie validation settings
We were experiencing similar issues where our custom nav (depending on whether a user was logged in or not, was not very consistent across different pages.
We followed the suggestion # http://ka.lpe.sh/2011/06/19/magento-checking-customer-admin-is-logged-in-or-not/ to check if a user was logged base on the frontend session variable before a rendering a particular block, and it seems to have done the trick.
Perhaps you can try something similar.
Tinybricks excellent support helped us out. Thanks for all of your suggestions. This was a localized problem based off cache and a module called Lightspeed.
I've run into a catch-22 with the search form that hopefully someone can help me with. From any of the secure pages in our Magento store (My Account, Checkout, etc) if you use the mini search form in the header, it takes you to a secure search results page https://oursite.com/catalogsearch/result. This results in a browser warning because there is unsecure content on that page. I thought I could fix this by modifying the CatalogSearch Helper class so that the getResultUrl functions always returns an http: link. However, this results in the browser warning you that you are about to send form data over a non-secure connection. So I can't seem to find a solution that doesn't look dangerous to the user.
Any ideas?
I know this is not the proper EAV/MVC/1000 lines of XML Magento module way of doing it, however, since this is a straightforward http/https problem you can put a couple of lines in .htaccess to get your search box behaving correctly:
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^catalogsearch http://www.example.com/catalogsearch/ [R=301,L]
The right way to fix this is not to use mixed content on that page. Magento can usually handle any page over HTTPS if it is requested to do so, so find the assets that are hardcoded over http:// and fix them to respect the current protocol properly.
For me the incorrect url got stuck in cache (we had heavy cache on the live server) and that caused the security warning for me. Hope this helps someone.
The question should be - why is this happening?
Doing a search on a non-secure page will yield results on a non-secure page.
After having visted a secure page, searching on a non-secure page will yield results on a secure page - how does this make any sense? What is the purpose of this?