Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Login problem


shawkes

Recommended Posts

I have searched and searched and have not found the answer to this problem. I have my site setup to return to the page you were on before login, but if the page was not a secure page it redirects to the same page but on the secure server. This is causing security alerts on index.php and a Forbidden message on product_info.php.

 

I just want it to return to the non secure page instead of the secure page for non secure pages.

 

I am using a shared SSL if that makes a difference. What am I missing? It is probably a very simple fix(I hope), but I just can't get it to work.

 

Thank you for your time

Sean Hawkes

Link to comment
Share on other sites

if a customer clicks to login, they stay on the secure page until taken to a different page which does not require login. are you forcing login before they do anything else?

Link to comment
Share on other sites

if a customer clicks to login, they stay on the secure page until taken to a different page which does not require login.  are you forcing login before they do anything else?

They are taken to a SSL version of index.php instead of non-SSL and this gives security warnings. index.php does not need to be viewed from the SSL server.

 

Sean Hawkes

Link to comment
Share on other sites

They are taken to a SSL version of index.php instead of non-SSL and this gives security warnings. index.php does not need to be viewed from the SSL server.

 

Sean Hawkes

 

You've got a problem in the configure.php file or the server you're on responds a little differently than osC expects it to.

 

A link would help.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

If I understand correctly what you're seeing, it's completely normal. When you login, you are redirected from an http page to an https page. Less to more security. No problem.

 

After login, if you were redirected from a secure page to an insecure page, your browser would *always* complain that this was a potential security risk. Therefore, after you login, the majority of the links that you get are http:// links, so that you're taken back to a non-secure connection except for those things that need to be secure (i.e. account info, order info, etc). You have to click on the insecure links, as opposed to being auto-redirected to an insecure link, so that your browser won't yell at you.

 

Having your browser tell a customer that they're being redirected from a secure page to an insecure page is not likely to inspire confidence in your site's security.

 

-jared

Link to comment
Share on other sites

Correct. This is a built-in "feature" of every modern browser. The problem occurs when you use tep_redirect (change the headers) to go from a secure page to a non-secure page without user intervention, often when there is POST data involved, too.

The warning can be turned off in the user's browser, but not many do, so you'll need another solution.

It is not a problem when the user actually clicks a link to do the same.

 

If you are redirecting from login to another page automatically after login (and if your login is https, which I assume it is), that page will have to be https:// or the warning will appear.

Link to comment
Share on other sites

The redirect to a secure version of the page is intentional and is designed to avoid the problem FalseDawn describes. Once you're on the target page, further links will be to the non-SSL version.

Link to comment
Share on other sites

Ok I understand that now, but if I try to login while viewing a product page the redirect to the secure page fails and says "You don't have permission to access /product_info.php on this server." Is this a problem with my SSL setup?

 

Sean Hawkes

Link to comment
Share on other sites

Yes, it is.  Are you on a host that requires you to put SSL content in a separate place? If so, you'll have to duplicate your store in the SSL location.

No I do not have to duplicate it, but I will try some changes to configure.php and see if that fixes it.

 

Sean

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...