We recently had to support a customer who wanted to make sure their OpenCart site was secure. However, despite following the standard process to make the site run on https, the admin login form still used an insecure URL. Here’s a quick fix to make the OpenCart login secure.
This issue was found on site running a version of OpenCart 2. We won’t mention the specific site but the issue was reported on the OpenCart forums.
Enable HTTPS in OpenCart 2
The standard steps to run OpenCart on SSL are to change the admin settings:
System > Settings > Stores (edit) > Server > Security > Use SSL - check box
Then edit both config.php files in the root of the site to change HTTP to HTTPS:
// HTTP define('HTTP_SERVER', 'https://www.mysite.co.uk/'); // HTTPS define('HTTPS_SERVER', 'https://www.mysite.co.uk/');
and in the admin directory as well…
// HTTP define('HTTP_SERVER', 'https://www.mysite.co.uk/admin/'); define('HTTP_CATALOG', 'https://www.mysite.co.uk/');
// HTTPS define('HTTPS_SERVER', 'https://www.mysite.co.uk/admin/'); define('HTTPS_CATALOG', 'https://www.mysite.co.uk/');
In theory, this should be sufficient. However, the admin login page continued to load a form containing an insecure URL for the form action.
Extra step edit: System Config Files
It seems the change to system settings is not enough and we need to edit system files which, in theory, should not be touched. This is not at all ideal as this can potentially be overwritten by an update. It’s not something we would normally recommend, but needs must…
So in System > config > admin.php set SSL to true
$_['site_ssl'] = true;
There’s further reading on this topic on the OpenCart forum here. This includes a solution using OCMOD to override the system file, rather than modify core files.