Magento makes it easy to configure secure (SSL) pages for the frontend and backend of your website, however, it doesn’t currently cater for the redirection of https versions of your pages to the http versions where necessary – i.e. any pages that do not contain personal or sensitive information.
The issue is, that Google will potentially see two versions of your site (http and https) and will penalise you for duplicated content.
How to rectify the issue
Magento has an in-built redirect – so that it can take you to secure pages when required.
This is a function called app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
. Luckily, as this is a Controller file, it means that we can copy it to our local folder, and over-ride the method. So, let’s start by copying app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
to app/code/local/Mage/Core/Controller/Varien/Router/Standard.php
.
This means you’re now safe to edit this file, and continue updating Magento if you so wish.
Making the code change
In Magento 1.7 and 1.8, you need to look at the function _checkShouldBeSecure
– around line 427 of your newly copied file.
Existing Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
protected function _checkShouldBeSecure($request, $path = '') { if (!Mage::isInstalled() || $request->getPost()) { return; } if ($this->_shouldBeSecure($path) && !$request->isSecure()) { $url = $this->_getCurrentSecureUrl($request); if ($request->getRouteName() != 'adminhtml' && Mage::app()->getUseSessionInUrl()) { $url = Mage::getSingleton('core/url')->getRedirectUrl($url); } Mage::app()->getFrontController()->getResponse() ->setRedirect($url) ->sendResponse(); exit; } } |
Your new code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
protected function _checkShouldBeSecure($request, $path='') { if (!Mage::isInstalled() || $request->getPost()) { return; } if ($this->_shouldBeSecure($path) && !Mage::app()->getStore()->isCurrentlySecure()) { $url = $this->_getCurrentSecureUrl($request); Mage::app()->getFrontController()->getResponse() ->setRedirect($url) ->sendResponse(); exit; } elseif (!$this->_shouldBeSecure($path) && Mage::app()->getStore()->isCurrentlySecure()) { $url = $this->_getCurrentUnsecureUrl($request); Mage::app()->getFrontController()->getResponse() ->setRedirect($url) ->sendResponse(); exit; } } |
So, what are we doing here?
As you can see, we’ve added a new elseif
statement. The original if
statement is checking if we’re trying to access a page over non-SSL and it should be SSL. Our new statement checks whether we’re trying to view a page over SSL when it doesn’t need to be, and then redirects us to the non-secure version of the page.
You’ll also notice that we’ve added a new function in $this->_getCurrentUnsecureUrl
(following the standards set by $this->_getCurrentSecureUrl
). This is so that we can grab the unsecure URL for the currently URL so that we can correctly redirect the user.
1 2 3 4 5 6 7 8 |
protected function _getCurrentUnsecureUrl($request) { if ($alias = $request->getAlias(Mage_Core_Model_Url_Rewrite::REWRITE_REQUEST_PATH_ALIAS)) { return Mage::getBaseUrl('link', false).ltrim($alias, '/'); } return Mage::getBaseUrl('link', false).ltrim($request->getPathInfo(), '/'); } |
This function matches _getCurrentSecureUrl
in all but one important note – we pass false
to the Mage::getBaseUrl
static function. In theory, we could just use the _getCurrentSecureUrl
method and pass through another parameter to switch this, but it makes more semantic sense to split it out into another function.
It’s important to note that you should always try and link to the “correct” version of the page in order to avoid unnecessary re-directs, but this update will certainly cover you in the unlikely event that links on your page are pointing to the wrong version.
Image Credit: Photosightfaces
Comment or tweet @douglasradburn