Hello,
The login pages for each of my production nopCommerce sites are secured with SSL, which is what I want. The problem that I noticed is that after a login is successful, they redirect back to the homepage, which is not secured. Is this the way it is for every nopCommerce installation? And if so, is there an easy fix for this?
My websites are all on nopCommerce 3.9.
Thank you for your help.
Login redirecting from https to http after login
- 42
- 260
- 9/30/2017
- United States
Thanks for the suggestion, New York.
I've tried that already, but it causes the front page to take forever to load, and considering how much traffic I receive daily, I'm not sure if the server will handle it well. I will try testing it again anyway, though.
Is the traffic that is submitted from the login still encrypted, despite this being the case? I noticed in the source code that the login page's action method has an SSL requirement attribute tied to it, but the method that it submits to does not and it redirects to the unsecured home page on success.
If I am completely wrong here, please correct me. I'm trying to cover any potential security holes with my websites and want to ensure that I have nothing to worry about with this issue.
Here is the source code, for reference:
[NopHttpsRequirement(SslRequirement.Yes)]
//available even when a store is closed
[StoreClosed(true)]
//available even when navigation is not allowed
[PublicStoreAllowNavigation(true)]
public virtual ActionResult Login(bool? checkoutAsGuest)
{
var model = _customerModelFactory.PrepareLoginModel(checkoutAsGuest);
return View(model);
}
[HttpPost]
[CaptchaValidator]
//available even when a store is closed
[StoreClosed(true)]
//available even when navigation is not allowed
[PublicStoreAllowNavigation(true)]
public virtual ActionResult Login(LoginModel model, string returnUrl, bool captchaValid)
{
... code
}
I've tried that already, but it causes the front page to take forever to load, and considering how much traffic I receive daily, I'm not sure if the server will handle it well. I will try testing it again anyway, though.
Is the traffic that is submitted from the login still encrypted, despite this being the case? I noticed in the source code that the login page's action method has an SSL requirement attribute tied to it, but the method that it submits to does not and it redirects to the unsecured home page on success.
If I am completely wrong here, please correct me. I'm trying to cover any potential security holes with my websites and want to ensure that I have nothing to worry about with this issue.
Here is the source code, for reference:
[NopHttpsRequirement(SslRequirement.Yes)]
//available even when a store is closed
[StoreClosed(true)]
//available even when navigation is not allowed
[PublicStoreAllowNavigation(true)]
public virtual ActionResult Login(bool? checkoutAsGuest)
{
var model = _customerModelFactory.PrepareLoginModel(checkoutAsGuest);
return View(model);
}
[HttpPost]
[CaptchaValidator]
//available even when a store is closed
[StoreClosed(true)]
//available even when navigation is not allowed
[PublicStoreAllowNavigation(true)]
public virtual ActionResult Login(LoginModel model, string returnUrl, bool captchaValid)
{
... code
}