Hi all,
This is driving me nuts. I was informed by a customer that wanted to place an order, but she noticed that there was no SSL padlock in her browser, so I looked into it.
At first I tried changing the only setting that I could find in the web.config file requireSSL="false" as there is no setting for SSL anymore on the admin page.
<authentication mode="Forms">
<forms name="NOPCOMMERCE.AUTH" loginUrl="~/login" protection="All" timeout="43200" path="/" requireSSL="false" slidingExpiration="true" />
</authentication>
The web.config file, if requireSSL="true" then no cookie is saved. (the site just logs you right back off), so I changed requireSSL back to false (so someone can place an order).
I also noticed that all the admin pages are unsecured (including the login page) unless you explicitly type in HTTPS:// into the URI bar (I had this saved in my browser, so I never even noticed that HTTP is never redirected to HTTPS).
I then tried checking the Force SSL for all site pages: box. This works ONLY if you already type in HTTPS first. Again, HTTP requests are not redirected to HTTPS like the setting implies.
I really don't want all the site's pages in SSL (slows things down), just the login, checkout, customer and all admin pages.
Is there a trick to get this to work? (I apparently had this same issue in version 3.0 and now version 3.1)