BV Commerce Forum
»
BV Commerce Support
»
General Support
»
How to require admin pages to run over ssl?
Rank: Member
Joined: 12/19/2006(UTC)
Posts: 153
|
The /bvadmin pages are able to run over http: (by default on my site) and over https:
My hosting company says this is a software setting. Could I get some tips on how to require/redirect so that any admin page is run securely? Also, Is this an error from when the developer set up my site, or is this a bug with BV software that the admin is able to run on unsecure pages?
Thanks!
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
When security is required the BV admin runs under https:// (Payment information, login, etc.)
Not sure what you need to do to operate the entire time under https://, but just a heads up that if you load the *entire* admin under https:// and you spend a serious amount of time cruising around in the admin, your bandwidth bill will reflect it. |
|
|
|
|
|
|
Rank: Member
Joined: 8/1/2007(UTC)
Posts: 310
|
Matt is right. BV out of the box secures critical pages that carry sensitive info (like user credentials, payment information, etc). Requiring SSL on all your pages will make the pages slighty slower. However, if you insist you really want it, then you can create a http handler that redirects all non-secure pages to secure pages and register that http handler in your web.config file. |
Thanks,
Satya
support @ bayquel.net
Work: +1 803 883 3226 |
|
|
|
|
|
Rank: Member
Joined: 12/19/2006(UTC)
Posts: 153
|
Thank you. I agree with the feedback that both of you have provided. The admin "new order" for example does redirect to https:/.
I got worried because one of our developers commented that "your admin pages are not running over TLS/SSL port 443, https:// " as if something was terrible wrong with our setup.
Thanks!
|
|
|
|
|
|
Rank: Member
Joined: 9/30/2003(UTC)
Posts: 53
|
PCI compliance does require SSL on ALL admin pages (at least that is what we were told) from login to logout and ALL cookies.
The extra bandwidth for SSL encryption is barely enough to change your bill significantly (how often are you on admin pages, really) - but more your CPU overhead (for encryption/decryption). Using SSL connection to display products to customers would indeed be a huge waste of resources.
Developers and customers alike should certainly be concerned about this. The admin bandwidth argument is moot.
Don't give hackers the benefit of the doubt, ANY unencrypted traffic can be gleaned for weaknesses.
|
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
Wasn't arguing against going all SSL. |
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
You can change the BaseAdminPage to set the RequireSSL flag to true which would force SSL for all admin pages. May require a recompile though.
|
|
|
|
|
|
Rank: Member
Joined: 2/21/2007(UTC)
Posts: 1,113
|
I'm running 5.7.1 and the entire admin backend is https |
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.