We're gearing up to go live with our first ubercart site. Anyway, I was hoping to get some feedback on which protected paths folks are specifying in their ssl configuration using the secure pages module. Let's assume a dedicated certificate to keep it simple. I just don't want to miss something that somebody has already discovered by running their store for a while. A definitive list or suggested list of paths would be great, a recommended secure configuration in terms of ssl would be great. I'm not looking for a complete pci compliant run through, just the paths to protect with ssl. Also, it might differ a bit if one was using something like paypalpro vs ipn. We are probably going to try for a full integration, not redirected like paypal ipn. I couldn't find this type of doc anyplace on the site. Thanks for the help, and I apologize if I missed it.
Here's my setup ..
user
user/*
user/*/edit
admin
admin/*
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/complete
uc_paypal/ipn/*
uc_paypal/wps/*
uc_paypal/wps/complete/*
cgi-bin/webscr
Wanted to keep all transaction and user information on the secure side, including stuff going out and coming back from PayPal IPN. Hope this helps some. (Probably not a definitive list but it's working for our site at this point.)
Torgos-
Question for you: do you think its necessary to do admin?
And do you do it for all sites? Does making admin SSL secure really help hacking you think? I can understand for when you process information but i never really rhought of putting the admin (or the users) for that matter.
What are your thoughts? THanks...
btw i'm at a mac store testing these new macbooks and i dont know about the rest of it but i love typing on this keyboard. I am really flying.
SSL should be employed wherever there's going to be sensitive information transmitted. This includes site configuration stuff like passwords, database connection info, sensitive paths ... basically, IMO, anytime I'm going to be typing things I don't want intercepted, I'll put it behind an SSL. And user information definitely should be, especially on the screens where they need to type a password (login screen at /user and account info screen at /user/*/edit
So yeah. I would say yes to putting admin behind a secure certificate. I would potentially even put it behind a level of HTTP authentication also (a "protected directory" in Plesk) - maybe not since I'm using Drupal now, but you can really never be too secure with your customer's and website's sensitive data.
Hi. I was wondering about why you protect the path ...
cgi-bin/webscr
which is a Paypal path? I'm assuming ubercart does an https call from withing the payment module to paypal?
Also, if you set "auto-return" to "on" then what path should you use for the return path? If you do this, then I believe ubercart sends an auto-return path as well -- does one override the other. Does ubercart send an ssl return path or is it irrelevant since it will be redirect to the ssl path when Drupal gets it from Paypal. Geez, sorry to dump all of that out there! Any help is grealy appreciated. Ahhh, love doing IPN stuff, so much fun. 
Ok, figured out why cgi-bin/webscr is there. It fixes a bug with the secure pages module that mangles your outgoing ssl url's like the https url to paypal for website paypment standard. You need to have this value in the secure url paths to make ubercart and secure pages play nice and create the secure url to paypal. Hope this helps somebody else.
Torgos,
Thanks for your contribution. I'm just getting started with SSL on my site.
Why do you specify a directory and only some subdirectories?
user
user
user/*
user/*/edit
admin
admin/*
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/complete
uc_paypal/ipn/*
uc_paypal/wps/*
uc_paypal/wps/complete/*why not just
user*
admin*
cart*
uc_paypal*Are there specific subdirectories that should NOT be included as SSL pages?
Thanks again!
-Paul
Thanks so much for this list!
Is it possible that the page on setting up Ubercart and Paypal (http://www.ubercart.org/docs/user/3356/configuring_paypal_website_paymen...) could link to this?
Hi, Can anyone tell me the correct set of url's that would cover PayPal WPP please?
In particular the following 3 items I guess need to be updated;
uc_paypal/ipn/*
uc_paypal/wps/*
uc_paypal/wps/complete/*I assume the others are generic and still valid for 6.x-2.0-beta5;
user
user/*
user/*/edit
admin
admin/*
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/completeCould you please also confirm that the other settings for Secure Pages would need to be;
X Switch back to http pages when there are no matches
Non-secure Base URL = http://www.sitename.com
Secure Base URL = https://www.sitename.com
Then add full list of required secure pages
Ignore pages left as default values;
*/autocomplete/*
*/ajax/*
Many thanks for any help, it's always greatly appreciated
UPDATE: I've just removed cart/checkout/complete from my list as it was causing the initial invoice emails to be sent out with everything relative to https
Is there a way we can publish the definitive "base" list for protecting an ubercart store via ssl. I'm wondering if ...
cart*
or
cart/*
would be better etc. I see the lists above, but let's get a base list together. I'm seeing a dupe order for each order on a new Drupal 6 site. Basically, dupe order before real order. Not sure why, trying to rule out secure pages.
i would like a "best ways to secure Ubercart" before going live guide also. . .
Hey guys,
Great tread. I have a few final questions before I finish my first Ubercart website.
I have as my checkout 2 options: offline Bank Deposit (no secure information being passed) and Paypal Standard (don't know if secure info is being passed). I feel that it is best to use SSL and if I am going to use it, I will use torgosPizza's setup for sure. It looks great. I know that I can use what I want on my website, but I'm wondering how high you would recommend SSL to me with Paypal Standard. (from 'would be nice, but not necessary' to 'top priority'). A 'Yes' or 'No' would be so easy in this case...
I can't find any reference to SSL in this article: http://www.ubercart.org/docs/user/3356/configuring_paypal_website_paymen... That's why I started doubting.
Is "WPS - Web Payments Standard" the same as Paypal Standard, by the way? Or does Paypal Standard use a WPS setup?
And If I want to use SSL, my hosting provider can secure everything for me or just a few specific areas. I think I'll let him secure everything and use the Secure Pages Module then to do it myself.
Yeah, and a "best ways to secure Ubercart" page would be great. Or when or not to use SSL.
Plus: I can't seem to get my 'signature code' from Paypal. According to paypal's guide I should see it underneath the API username and password, but it's not there. Does anyone know where I can find it?
Thanks for your help.
Cheers,
Danny
If that will work, then I don't see why you couldn't do it that way. My list was just done out of completeness (and probably items were added to it as I discovered new paths to add).. but if doing the wildcards without the slash works, then I say go for it.
As far as directories not to include, I don't think it really makes a difference - at least, I haven't found any reason why you would need to exclude anything specifically being served through SSL.
Do the listings for protection in this page still apply? I'm working on getting my first Ubercart site up and running - but really anal about security. There hasn't been any activity here for years.
Yes, I'd also be curious about the up-to-date-ness of this list.
Subscribing, would love to see à Ubercart 2.4 list of this..
Thanks a lot in advance for your reply!
Geetings, Martijn
The paths I originally specified should work for the most part... Here's an updated list from our site, which I've updated as I've added more modules that require some paths to be forced to https.
NOTE: This is not an exhaustive or by any means definitive list - it's what we use on our site. Your mileage may vary.
user
user/*/edit
user/register
user/login
user/reset*
user/*/order/*
user/*/password
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/get_certificate/*
cart/checkout/get_certificate_discount/*
cart/checkout/get_coupon/*
cart/checkout/coupon*
cart/checkout/certificate*
cart/checkout/complete
uc_paypal/ipn/*
uc_paypal/wps/*
uc_paypal/wps/complete/*
cgi-bin/webscr
taxes/calculate
user/autocomplete
filefield/ahah*
filefield/ahah/product/*/*
admin/store/order*
admin/store/user*
Some of these could be consolidated, for instance the first 6 lines (with "user...") could be:
user
user/*
... however sometimes you don't want https on certain pages, for instance we've found having https in the Views admin page can break the ajax stuff. (Not sure if this has been fixed yet, but for our instances, we had to remove some of the admin https protection so that ahah and ajax callbacks would work, therefore we have to be selective about which paths we protect.)
If you experience https errors, there's no real "surefire" way to make sure the correct paths are protected. I feel like there should be an easier way to switch on https when it's required, but I haven't come across any such thing.
Thanks for the update, very useful
If you use and can modify your Apache config then I find the use of rewrites to be more robust. It may even (re)solve issues with ajax.
More info here: http://www.ubercart.org/forum/ideas_and_suggestions/18278/setting_sslsec...
Big troubles with Secure pages, when I apply Secure Pages to cart* the https is generated just fine but Ubercart no longer remembers the cart items. In an attempt to solve this I only applied Secure Pages to cart/checkout but the result is, /cart/checkout now redirects back to cart preventing the customer from ever getting to the checkout page.
Using D7.7 and Ubercart 7.x-3.0-beta3
Also running Domain Access module to run two sites on the one core.
Any help would be GREATLY appreciated.
This is most likely due to different domains for secure / insecure. You need to sure that the insecure url and the secure url are the same ...
www.foo.com
and
foo.com
are not the same! You need to pick one form of the url and never change it, for seo and cookie/cart reasons. Also, you need to make sure users can never get to the url form you didn't choose. In the .htaccess file, you can specify the url form and force a redirect when the other form is chosen. You can force all foo.com users, for example, to be redirected to www.foo.com. I usually recommend all sites just choose the www.foo.com form of their site url and set it in .htaccess along with the secure pages settings.
That usually does the trick. Also, this problem will manifect on some browsers, not others.
I was able to fix it by adding the following in settings.php:
# Mixed session handling from https:// with http://
$conf['https'] = TRUE;
Right now I have every foo.com request redirecting to www.foo.com and I haven't filled out the secure/insecure url fields. I'm currently running this 'redirect' using Domain Access, do you think using .htaccess would make any performance/SEO difference?
Thanks for you quick reply!
Hi Chris, thank you very much for your advice regarding the SSL creating a redirect issue. It runs out the problem wasn't a redirect, its actually an issue with session data not being shared between http and https protocols. I'm really stuck on this one and being a somewhat experienced Drupal/php developer don't know where to turn at this point. I know it's a lot to ask but if you have the time, could you please read the summary of my issues below and give me your thoughts? I'm running a reasonably high profile site (http://microstrain.com) that sells high-end sensor technology and want this thing to work the way its supposed to.
Here is the summary I sent to my Acquia tech support -
I've spent the last week trying to resolve https session issues with no luck. I had the domain access and secure pages modules running, successfully applying the certificate to the pages I wanted. The problem is that the session information is not shared between both http and https. They maintain their own separate session information so if I add something to the cart in http it doesn't exist when I get to the https://www.microstrain.com/cart page. The only way I've been able to resolve this is by putting the whole site into SSL protection using .htaccess (secure pages is now disabled). Something I'd prefer not to do because in Chrome it comes up with a red, 'violated' notification on pages that load content without using an SSL cert.
Things I've tried, with no result:
- added the "http://www.microstrain.com" $base_url in settings.php
- added $conf['https'] = TRUE; to settings.php
- changed $cookies_domain to both ".microstrain.com" and "www.microstrain.com"
- edited .htaccess to always add to the domain
- I currently have secure pages turned off and am rewriting the whole site to https (when I only forced /cart* to https the disconnect existed)
My conclusion is that without advanced php/session scripting I will not be able to hand information between http and https pages. I've read and attempted everything that has been written on this under the drupal and ubercart forums and my suspicion is that the problem lies somewhere in domain access and my secured site not being the primary domain.
Any advice or shared experiences you might have would be a great help,
-Scott