Magento – Making add to cart urls use https when site is secure

So you have got your site all nicely working with your ssl certificate ready for your site to run fully in https:// to appease Google but your padlock never stays green.  For my setup I traced this down to the various form submission URLs such as “add to cart”. Here is how I finally solved it.

Take a look at the html source for your https page and do a search for http: to try and identify where your page is failing.  An alternative is to use an online tool such as which will tell you what line number (in your source) any https errors are detected.

For me, aside from the odd external non https asset which was easily fixed I saw that the form URLs were all http, even though the main browser URL was https. These URLs are all automatically generated so some intervention is needed.

One way would be to override the block methods that generate the URLs to “detect” that https is in use.  However, the existing functions do allow you to submit an additional attribute to specify whether to use https or not


So, if your add-to-cart action in your product view phtml file looks something like this

<form action=”<?php echo $this->getSubmitUrl($_product) ?>” method=”post”…

then you could force the url to use https by doing this:

<form action=”<?php echo $this->getSubmitUrl($_product,array(“_secure”=>true)) ?>” method=”post”…

However, this would mean that the form was ALWAYS using https. This might be fine, however I decided to add a check in at the top of the phtml. Magento has a function/method to test whether the site is in https mode.  This is what I came up with (I like to be verbose):


$isSecure = Mage::app()->getStore()->isCurrentlySecure();
$addToCartExtraParams = array();
$addToCartExtraParams = array(“_secure”=>true);

My form action then looked like this:


  <form action=”<?php echo $this->getSubmitUrl($_product,$addToCartExtraParams) ?>” method=”post” …

Other alternatives are to ALWAYS show your whole site in https, which might well please Google these days and set your non-secure site url to be https://….

If you do this then you might want to check URLS at the .htaccess stage and, if they are not https (port 443) then redirect to use https

RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

or you could check for urls on port 80 and force into https

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R=301,L]

I hope this is helpful. If it has and has saved you some time, feel free to buy me a beer.

Facebook Comments

2 thoughts on “Magento – Making add to cart urls use https when site is secure”

  1. Hi, thanks for pointing me in right direction 🙂

    .htaccess solution didn’t worked for me this time, only forcing secure URLs in theme files did.

    Also, I had to change cart page, i had this in /app/design/frontend/your_package/your_theme/template/checkout/cart.phtml:

    my url was $this->getUrl(‘checkout/cart/updatePost’).

    Replaced it with $this->getUrl(‘checkout/cart/updatePost’, array(‘_forced_secure’ => $this->getRequest()->isSecure())); and it started working fine

    1. Hi, thanks for commenting. These things are often made trickier by the fact that we straight away want to customise our layouts and phtml files so nothing remains “original”. Well done for finding the solution for you case and thanks for adding it to my little page 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Apply your human brain cells and complete this highly complicated maths problem *