Thespian Posted August 4, 2004 Posted August 4, 2004 I have OSC 2.2ms2 installed on a Solaris box. Secure serving is working. Everything looks spiffy until just *after* a successful check-out. The purchase gets logged, the email gets sent, but when the customer hits the "continue" button at the bottom-right of the "checkout_success.php" page, the next page that comes up has lost the "path" information needed to make the secure shared web hosting work. For example, my shared secure hosting works as follows: (Examples only, not real links, do not click, yadda yadda) http://mystore.com/catalog <-unsecured https://secure.hosting.provider/mystore.com/catalog <-secure Everything works until after "continue" is hit after the purchase is done, and then OSC tries to go to: https://secure.hosting.provider/catalog/sho...osCsid=blahblah Note how the "mystore.com/" part of the secure path was lost, even though it worked during the transition from unsecured into secured check-out. From the reading I've done on these forums, I'm guessing it's either: a) a cookie issue, b) a php register_globals issue, or c) plain old misconfiguration issue on my part. Below is my configure.php for your perusal: ------------------------------------------------------------------ define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://mydomain.com'); define('HTTPS_CATALOG_SERVER', 'https://secure.myhostingcompany.com'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', '/web/oscommerce-2.2ms2/catalog/'); // where th e pages are located on the server define('DIR_WS_ADMIN', '/oscommerce-2.2ms2/catalog/admin/'); // absolute path required define('DIR_FS_ADMIN', '/web/oscommerce-2.2ms2/catalog/admin/'); // absolute p ate required define('DIR_WS_CATALOG', '/oscommerce-2.2ms2/catalog/'); // absolute path requ ired define('DIR_FS_CATALOG', '/web/oscommerce-2.2ms2/catalog/'); // absolute path required define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); // define our database connection define('DB_SERVER', 'XXXXXXXXXXXXX'); // eg, localhost - should not be empty f or productive servers define('DB_SERVER_USERNAME', 'XXXXXXXXXX'); define('DB_SERVER_PASSWORD', 'XXXXXXXXXX'); define('DB_DATABASE', 'osCommerce'); define('USE_PCONNECT', 'false'); // use persisstent connections? define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or se t to 'mysql' ---------------------------------------------------------------- I mentioned the possibility of php register_globals since by default, the host has this turned off. I've placed local php.ini files in: ./catalog/admin/php.ini ./catalog/php.ini in order to turn it on. If some other directory needs it, I suppose that *might* cause the loss. I've rambled enough. Thank you if you've read this far. Please send me any suggestions you may have. Thanks, Thespian
♥yesudo Posted August 4, 2004 Posted August 4, 2004 maybe try hard coding the correct url into the checkout_success page. Your online success is Paramount.
Thespian Posted August 4, 2004 Author Posted August 4, 2004 Thanks for the suggestion, but this has to be a generic fix for all stores on the shared hosting platform. Each one will get the same software installed, differing only in the values in configure.php. I can't hardcode a unique value into each store's checkout_success page. Besides, this is obviously either an error in my configuration, or a weird bug in OSC. Either way, the right answer is to understand and fix the problem and not just patch over it. Anyone else have any other ideas?
steve-doherty Posted August 5, 2004 Posted August 5, 2004 I don't have an answer to your problem. But, if it makes you feel any better, I have the same exact problem. Everything is working perfectly, except for that continue button going to the secure version of catalog/checkout_success.php?action=update&osCsid=c6f-stringofnumbershere- I get a 404 error. I don't understand. I was thinking of hard coding a path back to the unsecure version of the home page, but thought I might find an answer here. But, I wondered if there was an additional screen with more stuff that the customer would miss if I hard coded like that. I assume it just goes back to the catalog, but I don't know since it is not working. Also, I share your desire to fix the problem instead of putting a band-aid on it. Maybe someone has more info for us. Thanks! Steve
Thespian Posted August 5, 2004 Author Posted August 5, 2004 Steve, nice to know I'm not alone. Perhaps we can work on this together. There is still a chance one of the guru's on here will notice this thread and tell us what we are doing wrong. ;-) The 404 makes perfect sense if your secure webhosting is set up like mine, where the removal of the hostname "path" component after secure.host/<domain>/ causes it to be an invalid link. How good is your PHP? we may have to pull checkout_success.php apart to find out how it is building that URL. This *could* be an actual OSC bug, but if so, I'd expect others to have hit it. What OS / server combo are you running on? Can you post your configure.php as I did at the top of this thread? We may be able to spot some similarities. Just guessing at the moment though. Still, glad to not be alone shouting into the wilderness. Thespian
Thespian Posted August 5, 2004 Author Posted August 5, 2004 Steve, I've found the source of the problem. It took me a few hours of digging and a few blind alleys, but I've got it. Now, I just need to figure out the right way to fix it without breaking something else. I hope one of the experienced OSC devs reads this to comment on the best way to fix the problem. Recap: after an order is complete, the "continue" button produces an erroneous URL when trying to go back to non-SSL use. This happens when the secure setup is of the form: https://secure.hosting.com/cust.domain.com/catalog and the insecure setup is of the form: http://cust.domain.com/catalog What's happening: on line 29 in catalog/checkout_success.php we have: tep_redirect(tep_href_link(FILENAME_DEFAULT, $notify_string)); (recall that, having just finished a check-out, we are currently under https right now. This is important, because this redirect is to a non-secure version of catalog/index.php under http, not https. This is the redirect that is done after processing the "Continue" button-push.) in /catalog/includes/functions/general.php on line 20 we have: //// // Redirect to another page or site function tep_redirect($url) { if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL } } header('Location: ' . $url); tep_exit(); } And there is the problem. Because we were on a secure page when we called redirect, the redirect function assumes we want to load the new page securely too, and it swaps out the unsecure domain name in the URL for the secure one, BUT WITHOUT REWRITING using DIR_WS_HTTPS_CATALOG instead of DIR_WS_HTTP_CATALOG. So, it looks like tep_redirect() needs to be fixed. For my case, I'd just rewrite it to look at the URL being redirected *to* and just go there with no editing. Essentially, change tep_redirect() to be nothing more than the last part of the function { header('Location: ' . $url); tep_exit(); } and be done with it. I've tested that, and it solves my problem. But, obviously this function was added for a reason. *Some* parts of the code may *want* this behavior when "secure" and "insecure" have the same DIR_WS_HTTP_CATALOG values, but different servers. Changing it could expose sensitive customer info. So, the code should choose the right behavior for the right environment. And that choice, I believe, should have some input from the devs who have more insight into the rammifications than I do. Anyone have an experienced dev's ear so I can run this bug fix past them to get their opinion?
rodder Posted September 9, 2004 Posted September 9, 2004 I am having a problem with my site when I click the continue button after e-mail has been entered for customers trying to purchase a product it just goes to a 404 error in a scure page. Is this the same as the problem the rest of you are having. If this is a bug in osCommerce is their a contribution or fix yet. I am using a shared SSL. If some wants to see error try and purchase an item on hotrodsurf.com/shop
Thespian Posted September 9, 2004 Author Posted September 9, 2004 Yup, sounds like the same problem. You can either use the fix I described in the previous message which works, or the following. Try setting HTTPS_SERVER to "https://host64.ipowerweb.com/~hotrodsu" instead of just "https://host64.ipowerweb.com" and I think that will work for you as well. Teh only side-effect of doing it this way is that after the continue button is hit, the customer will be redirected to your front page store still under https, rather than back to http. Continued browsing will be under http as normal, just the return to the front page will still be under https. Either solution seems to work for me.
eMayTrix Posted October 11, 2004 Posted October 11, 2004 But, obviously this function was added for a reason.? *Some* parts of the code may *want* this behavior when "secure" and "insecure" have the same DIR_WS_HTTP_CATALOG? values, but different servers.? Changing it could expose sensitive customer info.? So, the code should choose the right behavior for the right environment.? And that choice, I believe, should have some input from the devs who have more insight into the rammifications than I do. Hi Tespian, I tried your solution (commenting out the if statement), and doing so fixed the problem. After I click the continue botton, a "leaving secure server" warrning message pops up, and I just click OK and go back to the storefront. It works beautifully. Thank you very much for the solution. After a little more research on this issue, I found a reply in Bug Report ID:992 that says "it is a expected behavior" to go back to the storefront in SSL mode, and "The reason for this is if you use the notify function you get a security warning if you return to a non ssl page." I think it implies that the if statement we comment out is to avoid the security warning message when being redirected back to the storefront (because it's still under SSL Mode). So...I found another solution that will redirect me to the "secured storefront" in This Post and tried it out. Guess what, it does redirect me back to the storefront without giving me the security warning message. However, after being redirected, if I click links on the page, it takes me back to none-secured storefront and give me the security wanning message. Now I am a bit confused... If the security wannning message is delayed by only "one click", I really don't see the reasons to take people back to the storefront in SSL mode. So my conclusion is that it's probably ok to simply comment out the if statement... Any opinions about this...?
oldworldcharms Posted March 23, 2005 Posted March 23, 2005 I have the same problem. Can anyone who got this fixed post a recap. Actually I was thinking about just removing the button. Weould this cause any problems? thanks
Thespian Posted March 23, 2005 Author Posted March 23, 2005 I believe my fix, posted up-thread *is* the only "recap" of this issue. It works, so there is that to recommend it. B) I don't know if removing the button would cause any problems for you or not. Thespian I have the same problem. Can anyone who got this fixed post a recap. Actually I was thinking about just removing the button. Weould this cause any problems? thanks <{POST_SNAPBACK}>
oldworldcharms Posted March 23, 2005 Posted March 23, 2005 Ok I am following the reasoning and explanation and found that with oscommerce any changes almost always if not always changes something else so i hesitate on removing the button. Being that I am new to php so I don't understand what I should do. Please post a simple step by step of what is to be replaced with what in /catalog/includes/functions/general.php on line 20 we have: //// // Redirect to another page or site function tep_redirect($url) { if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL } } header('Location: ' . $url); tep_exit(); } With This code correct?
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.