Magento – Making add to cart urls use https when site is secure

So you have got your site all nicely working with your ssl certificate ready for your site to run fully in https:// to appease Google but your padlock never stays green.  I traced this down to the various form submission URLs such as “add to cart”. Here is how I finally solved it.

Take a look at the html source for your https page and do a search for http: to try and identify where your page is failing.  An alternative is to use an online tool such as which will tell you what line number (in your source) any https errors are detected.

For me, aside from the odd external non https asset which was easily fixed I saw that the form URLs where all http, even though the main browser URL was https. These URLs are all automatically generated so some intervention is needed.

One way would be to override the block methods that generate the URLs to “detect” that https is in use.  However, the existing functions do allow you to submit an additional attribute to specify whether to use https or not


So, if your add-to-cart action in your product view phtml file looks something like this

<form action=”<?php echo $this->getSubmitUrl($_product) ?>” method=”post”…

then you could force the url to use https by doing this:

<form action=”<?php echo $this->getSubmitUrl($_product,array(“_secure”=>true)) ?>” method=”post”…

However, this would mean that the form was ALWAYS using https. This might be fine, however I decided to add a check in at the top of the phtml. Magento has a function/method to test whether the site is in https mode.  This is what I came up with (I like to be verbose):


$isSecure = Mage::app()->getStore()->isCurrentlySecure();
$addToCartExtraParams = array();
$addToCartExtraParams = array(“_secure”=>true);

My form action then looked like this:


  <form action=”<?php echo $this->getSubmitUrl($_product,$addToCartExtraParams) ?>” method=”post” …

Other alternatives are to ALWAYS show your whole site in https, which might well please Google these days and set your non-secure site url to be https://….

If you do this then you might want to check URLS at the .htaccess stage and, if they are not https (port 443) then redirect to use https

RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

or you could check for urls on port 80 and force into https

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R=301,L]

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Apply your human brain cells and complete this highly complicated maths problem *