Category Archives: codemehappy

why do I need a SSL certificate (https connection) on my ecommerce site?

Your ecommerce website needs to have a valid SSL certificate installed and running.
Here’s some background and reasons why:

What’s does a SSL certificate do?

A Secure Socket Layer (SSL) certificate does a couple of things:

1. encrypts information entered into a form (a ‘form’ is exactly what it sounds like – any ‘fill in the box’ type page that requires you to enter in information and click a button on the screen; could be creating an account or sending an email to the store owner or signing up to a newsletter etc)
2. checks the integrity of the connection between the browser and the server (are you connected to the correct server?)

How can I tell it’s working?
The address bar will show a padlock and the word https:// in front of your website name on pages that require SSL encryption.


Note – there is no advantage in making all pages on your site https:// – it works with pages that have forms. Technically, https:// will slow down page loading speeds of your site and also may interfer with indexing by search engines. Most oscommerce-based carts have certain pages where https:// connections will be made, in particular logins, creating accounts and checkout.

But SSL certificates and https:// connections are just for payment pages though right?
Not true – a SSL certificate scrambles data and secures connections when any form is submitted (a form is basically what it sounds like – anytime you type information on a website, you’re probably filling out a form of some sort.)

So this means your admin and customer logins, contact us and create account pages as well all benefit from your server having a SSL certificate.

And if I don’t use one?
All of the data submitted will go as clear text, ie unencrypted. It is possible for unscrupulous people to set up ‘sniffer’ and ‘listening’ scripts and grab those clear text details being sent, which could gain them admin login details, customer address information as well as payment details.

Some payment gateways will not accept your payments without a valid SSL certificate installed and running on your site.

Also, the server may not in fact be the server you or your customers intended on reaching, as the integrity of the link will not have been verified to any extent.

Implications
Customers are now very aware of the https:// symbol in an address and if they don’t see it when they go to complete an order or set up an account, most will leave.

Identity fraud is a major industry around the world, so it is strongly recommended that if you want to get the business, you operate with a good SSL certificate in place and advertise the fact. Really, it’s a bare minimum to be in business online.

Furthermore, some payment gateways and processors require you as a merchant to have a valid SSL certificate installed before you can connect to them and use their services.

How do I get a SSL certificate?
There are a couple of ways – 1) contact your hosting company to set one up, orĀ  2) Do It Yourself (DIY)

Installing a SSL certificate is not difficult as long as you have access to the interface needed. If you use cPanel, you can use the TLS/SSL Manager in the Security box on the right. Create a CRT and private key, go buy the certificate and supply these parts, generate certificate, copy emailed certificate in certificate box, install – done.

If you don’t have access to the necessary interface, contact your hosting company and ask them to install the certificate.

Most SSL resellers like RapidSSL, Geotrust, Verisign, Digicert etc have instruction sheets to assist you as well as online support.

SSL certificate prices range from under USD100 a year through to bank-level EV SSLs with multiple verifications (ie way over the top) costing much more. Get one that fits with your business volume and turnover – but most importantly, get one!

 

If you need help installing a SSL certificate please contact me via my Contact page.

how to change admin session lifetime, avoid getting logged out

There’s nothing worse than editing a product description, clicking save and finding that you’ve been timed out by the server. This can be caused by having an admin session set too low. If you’re running a cart that saves sessions to a directory rather than to the mysql database, this may be a problem too. Here’s an easy way to fix this:

Go to /admin/includes/functions/sessions.php, simply add at the top after the copyright info:
ini_set('session.gc_maxlifetime', 3660); // 3660 seconds = 1 hour

Note – the session lifetime is entered as seconds.

Hope this helps!

(PS If you’re using database storage of sessions you might have an admin configuration setting for this already. Check Admin >> Configuration >> Sessions to see and change the figure there.)

how to modify the visual verify code (VVC) system

The visual verify code (or VVC) is a feature of cre loaded and other oscommerce-based carts and is designed to reduce the amount of spam and automated bot abuse of a store’s email system. It can appear (and be enabled/disabled through the admin) in several parts of the cart, each involving some sort of form submission to the owner of the store. So it’s an attempt to prove that it is a person sending the email and not a crawler or automated script.

In cre loaded, it is used for:
– password recovery
– creating a new account
– contacting the store owner via contact us
– product or article review submission
– sending tell-a-friend emails about a product or article
– submitting a link

However, it’s effectiveness is limited and in some cases it can be more hassle than it’s worth – eg sometimes the vvc code is difficult for us humans to read due to similar characters or the size of the display etc. These modifications may help if you’re experiencing problems.
image of visual verify code modifications to cre loaded vvc

#1 – Change the size of the pool of characters that the code can be drawn from
In some fonts upper- and lowercase I i L l as well as O o and the number 0 can appear very similar and can cause confusion. The pool of letters and numbers the visual verify code system uses is defined in the file /includes/languages/english/english.php :

/* REDUCE THE VVC POOL OF ALPHANUMERICS TO NUMBERS ONLY */

original:
define('VISUAL_VERIFY_CODE_CHARACTER_POOL', 'ABCDEFGHIJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz123456789');  //no zeros or O

replace with:
define('VISUAL_VERIFY_CODE_CHARACTER_POOL', '123456789');  // numbers only

The replacement pool of only numbers may seem drastic, but it is a lot easier for customers to verify the code correctly.

#2 – Change the size of the input box where the code is to be entered

/* CHANGE INPUT BOX SIZE TO 15 */

<td class="main"><?php echo tep_draw_input_field('visual_verify_code', '', 'size="15"') . '&nbsp;' . '<span class="inputRequirement">' . VISUAL_VERIFY_CODE_ENTRY_TEXT . '</span>'; ?></td>

/* ADMIN CONTROL OF INPUT BOX SIZE */

<td class="main"><?php echo tep_draw_input_field('visual_verify_code', '', 'size="' . VVC_INPUT_SIZE . '"') . '&nbsp;' . '<span class="inputRequirement">' . VISUAL_VERIFY_CODE_ENTRY_TEXT . '</span>'; ?></td>
                

This will tidy up the VVC area and also supports a reduced number of characters being used. Various template or catalog files would need to be edited here, as per the list given above. This means by default you’d need to change this in each occurance of the VVC code. A way to improve this is to create a switch in the VVC configuration area of the admin, and set the input box width there (using the second block of code above, together with the sql query below.) You would still have to edit several template related files, but from then on changing this setting in the admin page would change them all.

INSERT INTO `<<the name of your database goes here>>`.`configuration` (`configuration_id`, `configuration_title`, `configuration_key`, `configuration_value`, `configuration_description`, `configuration_group_id`, `sort_order`, `last_modified`, `date_added`, `use_function`, `set_function`) VALUES (NULL, 'VVC Input Box Size', 'VVC_INPUT_SIZE', '15', 'Size of the VVC input box', '420', '9999', '0000-00-00 00:00:00', '0000-00-00 00:00:00', NULL, NULL);

#3 – Reduce the length of the VVC code and width of the VVC Image box
By default, from 3 to 6 alphanumeric characters are displayed as the visual verify code. By changing the numbers, a different range can be used:

/* RANGE OF NUMBER OF VVC CHARACTERS TO DISPLAY */

By default - 3 to 6 characters:
for ($i = 1; $i <= rand(3,6); $i++){

Here - 3 to 4 characters:
for ($i = 1; $i <= rand(3,4); $i++){

After reducing the number of characters displayed, you may need to resize the width of the code box. This is done easily through admin >> configuration >> vvc configuration >> VVC Image Width – in the example, this was set to 125.