Posted on Wed, 11/11/2015 - 15:09
Make e-commerce more secure with SSL & Drupal Commerce

Previously we looked at setting up https across the whole site, if you want to set it up only on specific pages you have to jump through a couple of hoops. The first problem is patching core - and living with this across future updates! The answer to this patching with drush make. To do this you will need a make file something like this:

; Specify the version of Drupal being used.
core = 7.x
; Specify the api version of Drush Make.
api = 2

; Drupal core patches can be add like contrib patches:

projects[drupal][patch][] = ../patches/drupal-https-only-961508-23-32.patch
projects[drupal][patch][] = ../patches/471970_0.patch

If you keep your patches in a directory above your www root then you can use the same patches for all projects.

You can now run all the patches in your installation from drush using drush make

$ drush make patches.make

And voila, your core files now have the necessary patches to successfully handle mixed mode ssl - and you can easily re-instate these next time you update core. We can now commit to git locally and deploy to the staging and live servers.

Security

Install the securepages module - https://www.drupal.org/project/securepages - and add the following to your settings.php

 if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
  $base_url = 'https://mydomain.com';
}
else {
  $base_url = 'http://mydomain.com';
}

and also

$conf['https'] = TRUE;

You should now be all set to pick the right pages to enable for https.

It looks doubtful that the code in these patches will ever make it into core, let's hope we don't end up in this kind of situation for Drupal 8

$ drush make patches.make
$ drush make patches.make
$ drush make patches.make

Submitted by Anonymous (not verified) on Fri, 11/27/2015 - 15:39

If you have a form on a secure page then you have to have the secure pages module patched with this on line 118

// Check to see if this form needs to be secured.
$secure_form = securepages_match_form($form_id, $form_state['build_info']['args']);
- if (!$is_https && $secure_form) {
+ if ($secure_form) {
$form['#https'] = TRUE;
}
}

AND - set the search results page to the "Ignore Pages" list in the secure pages config at admin/config/system/securepages. Otherwise this will upset chrome and not give you a clean ssl.

Submitted by Fernando (not verified) on Mon, 10/01/2018 - 22:15

Thats awesome!

Add new comment

Request a Free Quotation

Your Name