Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Force Cookie Problem


idahovi

Recommended Posts

Greetings,

 

I have been playing with a new configuration of oscommerce and I have been having problems when it comes to using a shared SSL and cookies. I have been reading through the posts and all, but I have not gotten anything to really work. The server I am set up on has the SSL certificate registered www.idahovirtualincubator.org, and my site name is www.havokclash.net. I have a folder named havokclash that is in the document root of www.idahovirtualincubator.net in which I have a symbolic link pointing to the actual installation of oscommerce in www.havokclash.net. Here is a copy of the relevant configuration I now have:

 

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.havokclash.net'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.idahovirtualincubator.org/havokclash'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.havokclash.net');

define('HTTPS_COOKIE_DOMAIN', 'www.idahovirtualincubator.org');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/havokclash/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/havokclash.net/www/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

With this configuration I am able to log in just fine and everything, but when I go to check out after adding items to the cart, the items get lost. This only occurs when I have forced cookies enabled and switch from SSL to non-SSL. I know the problem lies in the cookies. When checking the cookies I find I have one set for www.havokclash.net and one set www.idahovirtualincubator.org. It seems that I am no longer logged into the cart when I revert back to a non-SSL page to add in items as well since I do not see the log out link at the top. To me it seems like the login information is not traversing from the SSL cookie to the non-SSL cookie. I would prefer to have cookies forced.

 

Any help in this area I would definitely appreciate. You can check the cart at www.havokclash.net/catalog to see the exact problem I am having. I will continue to read posts, but I have been doing so for a while already.

Link to comment
Share on other sites

Greetings,

 

I have been playing with a new configuration of oscommerce and I have been having problems when it comes to using a shared SSL and cookies.  I have been reading through the posts and all, but I have not gotten anything to really work.  The server I am set up on has the SSL certificate registered www.idahovirtualincubator.org, and my site name is www.havokclash.net.  I have a folder named havokclash that is in the document root of www.idahovirtualincubator.net in which I have a symbolic link pointing to the actual installation of oscommerce in www.havokclash.net.  Here is a copy of the relevant configuration I now have:

 

<?php

/*

  osCommerce, Open Source E-Commerce Solutions

  http://www.oscommerce.com

 

  Copyright ? 2003 osCommerce

 

  Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

  define('HTTP_SERVER', 'http://www.havokclash.net'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://www.idahovirtualincubator.org/havokclash'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

  define('HTTP_COOKIE_DOMAIN', 'www.havokclash.net');

  define('HTTPS_COOKIE_DOMAIN', 'www.idahovirtualincubator.org');

  define('HTTP_COOKIE_PATH', '/');

  define('HTTPS_COOKIE_PATH', '/havokclash/');

  define('DIR_WS_HTTP_CATALOG', '/catalog/');

  define('DIR_WS_HTTPS_CATALOG', '/catalog/');

  define('DIR_WS_IMAGES', 'images/');

  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

  define('DIR_WS_INCLUDES', 'includes/');

  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

  define('DIR_FS_CATALOG', '/home/havokclash.net/www/catalog/');

  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

With this configuration I am able to log in just fine and everything, but when I go to check out after adding items to the cart, the items get lost.  This only occurs when I have forced cookies enabled and switch from SSL to non-SSL.  I know the problem lies in the cookies.  When checking the cookies I find I have one set for www.havokclash.net and one set www.idahovirtualincubator.org.  It seems that I am no longer logged into the cart when I revert back to a non-SSL page to add in items as well since I do not see the log out link at the top.  To me it seems like the login information is not traversing from the SSL cookie to the non-SSL cookie.  I would prefer to have cookies forced.

 

Any help in this area I would definitely appreciate.  You can check the cart at www.havokclash.net/catalog to see the exact problem I am having.  I will continue to read posts, but I have been doing so for a while already.

 

Ask and you shall receive. Had a massive brain surge that prompted me to read the knowledgebase about force cookie usage and found the answer that I feared:

 

"When the SESSION_FORCE_COOKIE_USE parameter is enabled, a cookie will always be set on the clients browser and will always be read on every page request made. This allows osCommerce to check for the cookie and to take appropriate action of allowing the transaction to occur, or to forward the client to the friendly enable cookie page.

 

As the cookie is set on the top level domain of the web server, the secured https server must also exist on the same domain.

 

For example, the force cookie usage implementation will work for the following servers:

 

http://www.domain-one.com

https://www.domain-one.com, or https://ssl.domain-one.com

 

but not for the following servers:

 

http://www.domain-one.com

https://ssl.hosting_provider.com/domain-one/

 

The ssl.hosting_provider.com example is using a shared SSL certificate used for secure transactions. This can easily be fixed to work with the force cookie usage implementation by purchasing and installing a dedicated SSL certificate for the domain-one.com domain.

 

It is possible to bypass the cookie check by appending the session ID to the url when the client moves from HTTP to HTTPS state, or from HTTPS to HTTP state; however the main goal this implementation is trying to achieve is to not place the session ID on the url at all which would occur if the clients browser had cookies disabled."

 

I know it is possible to set up multiple certificates on a site using one IP address by using a different port number, like 8443 instead of 443 for the second cert. Will this cause problems with osCommerce, and will clients browsers have problems with the fact that ssl is occuring on a nonstandard ssl port number? I would definitely love to have it so that force cookie usage was active for security reasons since that is the whole reason of turning ssl on, but having to purchase additional IPs would almost be required in my opinion. Can someone tell me where I can obtain IPs for a decent sum. I need about 10 if that is possible, but I have a limited budget to work with. Thanks for any help you can offer.

Link to comment
Share on other sites

Ask and you shall receive.  Had a massive brain surge that prompted me to read the knowledgebase about force cookie usage and found the answer that I feared:

 

"When the SESSION_FORCE_COOKIE_USE parameter is enabled, a cookie will always be set on the clients browser and will always be read on every page request made. This allows osCommerce to check for the cookie and to take appropriate action of allowing the transaction to occur, or to forward the client to the friendly enable cookie page.

 

As the cookie is set on the top level domain of the web server, the secured https server must also exist on the same domain.

 

For example, the force cookie usage implementation will work for the following servers:

 

http://www.domain-one.com

https://www.domain-one.com, or https://ssl.domain-one.com

 

but not for the following servers:

 

http://www.domain-one.com

https://ssl.hosting_provider.com/domain-one/

 

The ssl.hosting_provider.com example is using a shared SSL certificate used for secure transactions. This can easily be fixed to work with the force cookie usage implementation by purchasing and installing a dedicated SSL certificate for the domain-one.com domain.

 

It is possible to bypass the cookie check by appending the session ID to the url when the client moves from HTTP to HTTPS state, or from HTTPS to HTTP state; however the main goal this implementation is trying to achieve is to not place the session ID on the url at all which would occur if the clients browser had cookies disabled."

 

I know it is possible to set up multiple certificates on a site using one IP address by using a different port number, like 8443 instead of 443 for the second cert.  Will this cause problems with osCommerce, and will clients browsers have problems with the fact that ssl is occuring on a nonstandard ssl port number?  I would definitely love to have it so that force cookie usage was active for security reasons since that is the whole reason of turning ssl on, but having to purchase additional IPs would almost be required in my opinion.  Can someone tell me where I can obtain IPs for a decent sum.  I need about 10 if that is possible, but I have a limited budget to work with.  Thanks for any help you can offer.

 

 

Do you have your own server?

 

I have and my provider allocates me 7 IPs by default, any more and I have to pay $25 per IP which isnt that bad.

 

I think it would be okay to have a different port, in the apache config files I think you would set it for a particular domain to listen for https on a different port. But individual IPs is definitely a better option. (and if you run Plesk dont use port 8443 for your shops)

 

On another note, I thought that if you enabled sessions to be handled by MySQL (in your config files) then it worked with a shared SSL.

Link to comment
Share on other sites

I thought that if you enabled sessions to be handled by MySQL (in your config files) then it worked with a shared SSL

 

No, afraid not. Force Cookie Use only works when there's no SSL being used or when a full SSL cert is installed.

 

Vger

Link to comment
Share on other sites

  • 5 years later...

I'm having a similar issue with my website.

 

I enabled cookie use from admin page, but now when I go back to admin page, I can't seem to log back in to do anything. It just redirects me to the admin login page again.

 

Could someone help please ?

 

Is there a way to turn off force cookie use manually? (through database, etc...)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...