HTTPS - additional setting/modifications
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
The following write up should fix a couple of HTTPS issues that you might experience. These setting work along with Secure Pages.
- Anonymous users lose cart contents when Secure Pages switches the site from http://www.example.com to https://www.example.com
- When a user clicks on the Check Out button or Checkout Link on the Cart Block the page refreshes and the user is not redirected to cart/checkout
Modifying the .htaccess file
Uncomment (remove the # infront of them) these lines if you want your users to be always redirected to http://www.example.com and https://www.example.com and if you set up your SSL cert for www.example.com
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Uncomment (remove the # infront of them) these lines if you want your users to be always redirected to http://example.com and https://example.com and if you set up your SSL cert for example.com
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301]
If after making the above changes you are still having issues try these modifications along with the above ones.
Modifying the settings.php file located in sites/default/settings.php
When editing the settings.php file you might have to change the permission of the file to overwrite it and then change them back to what they were. Mine are set to 444 by default so had to change them to say 755 for editing and revert back to 444 after editing.
At the end of the file add the following line.
$conf['https'] = TRUE;
This modification was taken from https://www.drupal.org/https-information
Drupal configuration
If you want to support mixed-mode HTTPS and HTTP sessions open up sites/default/settings.php and add $conf['https'] = TRUE;. This enables you use the same session over HTTP and HTTPS both -- but with two cookies where the HTTPS cookie is sent over HTTPS only. You will need to use contributed modules like securepages to do anything useful with this mode, like submitting forms over HTTPS and so on. While your HTTP cookie is still vulnerable to all usual attacks, a hijacked insecure session cookie can only be used to gain authenticated access to the HTTP site. It will not be valid on the HTTPS site. Whether this is a problem or not depends on the needs of your site and the various module configurations. For example, if all forms are set to go through HTTPS and your visitors can see the same information as logged in users then this is not a problem.
If you are still having issues with the cart emptying and not redirecting to cart/checkout for anonymous users use these additional modifications.
If you don't use subdomains and you redirect your users to www.example.com change the following line $cookie_domain = '.example.com';
To
$cookie_domain = 'www.example.com';
If you don't use subdomains and you redirect your users to example.com change the following line $cookie_domain = '.example.com';
To
$cookie_domain = 'example.com';
I have the above modification set up on http://www.ubercartdemo.com if you want to see it in action.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion