Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HTTPS, HTTP session communication


OSCommerceSurgeon

Recommended Posts

Hello there,

 

I thought this would be a neat trick to post since I spent most of the night hacking my way around trying to fix it.

 

This little trick is for all of you folks with shared SSL certificates on shared hosting where your regular HTTP server is on a different computer than your HTTPS server. In my case, the HTTP server is a Linux box and the HTTPS server is Windows, but that's beside the point.

 

Have you ever wondered how to make your checkout process, login process and logoff process secure but not tie the rest of your website down by the slowness of SSL? Are you like most of my clients who are on shared hosting, using shared certificates and basically under the mercy of the hosting provider?

 

Please read on.

 

I'm fairly convinced that the reason why the osCSID is lost when transferring from a secure HTTPS connection to an HTTP connection when their are on separte computers is because of an insanely difficult line of code in your /includes/functions/sessions.php file.

 

Here is the rather harmless looking chunk of code in the default sessions.php file:

 

    function _sess_read($key) {
     $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "' and expiry > '" . time() . "'");
     $value = tep_db_fetch_array($value_query);

     if (isset($value['value'])) {
       return $value['value'];
     }

     return false;
   }

 

The problem I discovered after much debugging is the expiry clause on the $values_query. I haven't figured out why it doesn't work with that expiry clause when transferring requests from HTTPS to HTTP but I know its the problem because when I remove it, I can go from an HTTPS session over to a page on the HTTP server transferring the same osCSID session id transparently just like it should operate.

 

Before, it kept dropping, loosing the osCSID thus telling me I was a guest, asking me to login, not being able to write reviews and a whole slough of other painful problems.

 

I changed this function to the one below:

 

 

    

function _sess_read($key) {
     $value_query = tep_db_query("select value from sessions where sesskey ='" . $key . "'");
     $value = tep_db_fetch_array($value_query);
     if (isset($value['value'])) {
       return $value['value'];
     }
     return false;
   }

 

I didnt even bother putting the expiry clause on because I figure that the garbage collection function that handles MYSQL bases sessions will remove old sessions anyways thus I would most likely always get the most current session. Could be wrong on this, haven't tested that part yet.

 

All I know is that this fix will immensely help anyone that is using a shared SSL certificate, MYSQL based sessions and two different domains for their HTTP and HTTPS server.

 

Cookies would also get around the problem but the problem with cookies is that most users think they are dangerous and shouldn't be trusted thus they turn off accepting cookies then they cant get into your site and you loose customers, this doesnt use cookies, easier for the user.

 

Anyways, it would be cool to hear if this helps anyone else because when I figured it out boy was I proud now my client's store works like it is suppose to instead of asking people to login like 4 or 5 times, loosing their shopping cart contents, unable to do certain things because of the different domains.

 

Perhaps the expiry may not work because the computers are vastly different time zones, who knows.

 

Hope that helps

 

Adam

While I'm operating on OSCommerce, I don't have to worry about silly vitals or forgetting to turn off the ane..the.. no wait I remember aes....thetic, or right I've got it Anaesthetic

Link to comment
Share on other sites

Hi Adam,

 

Thank you very much! I've got exacly the same problem. My HTTP server is a linux machine and HTTPS server on another windows 2000 machine. When switching between SSL and Non-SSL pages I was redirected to login page from time to time and this problem annoyed me a lot. After applied the chage the system works now! What a great job!

 

To: rlped

I think your sugesstion is right.

Link to comment
Share on other sites

  • 5 months later...
  • 2 weeks later...

I received a session key error when implenting this code, any ideas of what happened there? :'(

 

Thank You

Miss Vicky

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...