amatruco Posted June 10, 2005 Share Posted June 10, 2005 Hi I am having some trouble with some of the subtle points behind getting a secure checkout process to work. I have read lots of posts regarding this, but still can't seem to find my answer. Here's the problem. I have SSL enabled in my /includes/configure.php file, and I think I have all the settings properly set. Here is a snapshot of the relevant portions of that file: define('HTTP_SERVER', 'http://www.mydomain.org'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.mydomain.org'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'mydomain.org'); define('HTTPS_COOKIE_DOMAIN', 'mydomain.org'); define('HTTP_COOKIE_PATH', '/staff/shop/'); define('HTTPS_COOKIE_PATH', '/staff/shop/'); define('DIR_WS_HTTP_CATALOG', '/staff/shop/'); define('DIR_WS_HTTPS_CATALOG', '/staff/shop/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', '/usr/local/etc/httpd/htdocs/staff/shop/'); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); So, when I browse to the catalog without using a secure connection, all is good, and the page loads perfectly. When I click on My Account, the URL switches to a secure connection, and the page loads perfectly ... except that the yellow lock shows up only briefly in the bottom of the window, and then disappears. I have determined that this occurs because even though the page is being loaded securely, the images and icons on the page are not (I can verify this by right-clicking on any image/icon ... including the oscommerce.gif image ... and inspecting its URL). Therefore. the lock is not displayed because the entire page did not load securely. I found a post on this forum that told me to edit the application_top file as follows, to resolve this problem. It said to remove the line that reads: $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; and replace it with a line that reads: $request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL'; Now, this did sort of solve the problem, because now the images and icons DO load securely when the user is in the My Account or Checkout process, and the yellow lock IS displayed. However, the problem is that now, all icons and images are ALWAYS loading securely ... regardless of where the user is on the site. So, for example, when the user simply browses to my store using an INSECURE connection, the page loads normally, but all the images load securely (verified by inspecting the URL of some of the images and icons). As the user browses around the site, the images on all pages continue to load securely. This is really unnecessary, and encrypting all these images is slowing down my site unnecessarily. Further, it seems that this is not happening on all the other OsCommerce stores I have visited. I have tried many things, and still cannot figure this out. Bottom line question: How do I get the images to load normally (insecurely) when the user is simply browsing the site and the catalog, but to load securely when the user is in the My Account/Checkout sections? It seems to be working on everyone else's site, except mine. Thanks in advance for any assistance you may be able to provide. Joe Link to comment Share on other sites More sharing options...
FalseDawn Posted June 10, 2005 Share Posted June 10, 2005 Your original problem (i.e the lock appearing then disappearing) was almost certainly caused by hard-coding the link to one or more images using HTTP:// If you link to images on external sites (eg a secure seal), you need to ensure you link using HTTPS:// on secure pages. Normally, the images are referenced relatively, so if the base href to the page is https, they will be, too. I would set the $request_type statement back to what it was originally and try to look for hard coded links using HTTP:// Link to comment Share on other sites More sharing options...
FalseDawn Posted June 10, 2005 Share Posted June 10, 2005 You could also try: $request_type = ($_SERVER['HTTPS']) ? 'SSL' : 'NONSSL'; Basically, look at the <base href> tag in the generated HTML of secure pages - this should start HTTPS://, and in non-secure pages, it should start HTTP:// - if it doesn't then the $request_type variable is not being set correctly. Link to comment Share on other sites More sharing options...
amatruco Posted June 10, 2005 Author Share Posted June 10, 2005 Thanks for the reply. I tried your suggestion. Using the line: $request_type = ($_SERVER['HTTPS']) ? 'SSL' : 'NONSSL'; renders the same results as the original line from the file: $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; I also checked out the <base href> tag, as you suggested. With either of these lines of code in the application_top file, the <base href> line remains the same for both secure and insecure pages. When the URL is http://www.mydomain.org/staff/shop/ the <base href> tag reads: <base href="http://www.mydomain.org/staff/shop/"> If I then click on the My Account link, the URL changes to https://www.mydomain.org/staff/shop/login.php but the <base href> tag in the source of this page still reads: <base href="http://www.mydomain.org/staff/shop/"> Any thoughts on where to go from here? Link to comment Share on other sites More sharing options...
FalseDawn Posted June 10, 2005 Share Posted June 10, 2005 You could try the following, since HTTPS is usually configured on port 443 $request_type = ($_SERVER['SERVER_PORT']=="443") ? 'SSL' : 'NONSSL'; I have no idea why at least one of the other combinations you have tried are not working - it might have something to do with how PHP and/or SSL is configured on your host - it might be worth contacting them to see if they have any clues. Link to comment Share on other sites More sharing options...
amatruco Posted June 15, 2005 Author Share Posted June 15, 2005 I think I am getting closer to solving the problem. I don't think my server is reporting a value for the HTTPS environment variable, and the SERVER_PORT environment variable seems to have a value of 80, for both http and https connections. I am going to investigate this further by creating a page that calls the phpinfo() function, and examine the values of the variables that are being reported. I have, however, noticed that the Admin section of the application does "sort of" seem to be able to handle loading images securely when the URL is https, and insecurely when the URL is http. I looked at the application_top file in /catalog/admin/includes to see how the $request_type variable might be created, but this file does not have such a variable. I assumed it would be just like the other application_top file. I can't find the setting to cause the admin area to have all its links become secure. Assumed it would be in /catalog/admin/configure.php, but it does not seem to be there. So now, if I load the admin section via https, the first page will load securely, but clicking on any other link switches the connection to a regular http connection. Does anyone have thoughts on anything I'm observing here? Thanks Joe Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.