Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Checkout Procedure Not Using SSL


RayFrangie

Recommended Posts

Hi All,

 

I'm not too sure if this has been discussed before somewhere in this massive forum, but I need some help with osCommerce Procedures using SSL.

 

Before I start, the following is the specs:

 

Windows 2003 Server Enterprise Edition w/SP1

Internet Information Services (IIS) 6

AustDomains Premium SSL Certificate

osCommerce 2.2 Milestone 2 Update 051113

Shop: http://marketplace.rcsystems.com.au

 

SSL Certificate has been installed successfully.

 

Configure.php as follows:

 

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://marketplace.rcsystems.com.au'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://marketplace.rcsystems.com.au'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'marketplace.rcsystems.com.au');
 define('HTTPS_COOKIE_DOMAIN', 'marketplace.rcsystems.com.au');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

 

The following is whats happening

 

Browse the website fine, no worries. Checkout Procedure, Login Procedure redirects to the HTTPS URL fine.

Problem though is it does not establish the SSL Session aka Does not activate SSL

 

I've had a chat with the SSL Cert Providers who have been working on this with me for about a week.

 

This is the email response i've got from them:

 

******************

 

Hi Ray,

 

I had another quick look at your page. It seems to be your HTML.

 

Eg. this image pops up with the padlock no problem

 

https://marketplace.rcsystems.com.au/images/az_top_left.gif

 

 

I think this line may be the culprit

<base href="http://marketplace.rcsystems.com.au/">

 

This is basically telling browsers to treat the page as insecure. You will want to make it read https when it is secure.

 

Kind Regards,

 

Ben Brooks

Aust Domains Support

t: 08 9349 4665 (Australia Only)

t: +61 8 9349 4665 (International)

f: +61 08 6210 1656

e: [email protected]

w: www.austdomains.com.au

 

 

***************

 

I've done some digging around to try and see where this comes from. It seems to get it from HTTP_SERVER or HTTPS_SERVER. I changed the HTTP_SERVER to use the HTTPS URL and what do you know? It works... In a way...

 

The whole site becomes SSL, and the SSL Padlock does appear. But this is obviously not the ideal way of getting things to work, as I'd like search engines to find my website and not completely shut me out. Also i dont see a need of running the entire site as SSL.

 

So basically, 1) Has anyone come across this same issue before... 2) How do i fix it so that the base_href picks up SSL or NONSSL correctly?

 

 

As a test to replicate the fault:

 

1) Go to HTTP://marketplace.rcsystems.com.au

2) In the address bar, change the HTTP to HTTPS

 

.... Note the padlock doesn't appear!!!

 

3) View Source... Look At the base_href line in the <head> section of the page... Still Shows the NON-SSL URL

 

The same issue is throughout the entire site from the Main Page to the Credit Card and Purchasing Pages. Note though if you do log in and shop around, keep an eye on the address bar. It does change to HTTPS as in to go to a SSL Page, but the SSL Session does not activate due to BASE_HREF still showing the HTTP URL and not the HTTPS URL

 

 

Any help anyone can provide will be greatly appreciated. This is one issue i really want to get rid of sometime soon.

 

 

Many Thanks in Advance

 

Ray Frangie

Managing Director

Ray's Computer Systems - Sydney Australia

P.O Box. 757

Guildford, NSW, 2161

Ph: +61 (0)2 9788 2946

Mob: +61 (0)415 358 194

Email: [email protected]

WWW: http://www.rcsystems.com.au

Link to comment
Share on other sites

Do not know if it will help, but anyway:

 

Check this out!

 

 

http://www.oscommerce.info/kb/osCommerce/G...mon_Problems/75

 

((((((( On chapter 3. ----

 

3. Fixing SSL Problems

 

If the problem is an image you are hotlinking you need to ask the owner if you can have access to the image and place it in your own images directory under the encrypted domain and then change the path in your footer so that it now references the image in your domain....

)))))))) END MORE IN LINK ))))))

 

 

 

 

I think this could be the problem, your image is not a relative path, but mostly an absolute one, which SSL does not like very much !!!

 

Check the link for more details an let me know !

 

Ray

Link to comment
Share on other sites

Do not know if it will help, but anyway:

 

Check this out!

 

 

http://www.oscommerce.info/kb/osCommerce/G...mon_Problems/75

 

((((((( On chapter 3. ----

 

3. Fixing SSL Problems

 

If the problem is an image you are hotlinking you need to ask the owner if you can have access to the image and place it in your own images directory under the encrypted domain and then change the path in your footer so that it now references the image in your domain....

)))))))) END MORE IN LINK ))))))

I think this could be the problem, your image is not a relative path, but mostly an absolute one, which SSL does not like very much !!!

 

Check the link for more details an let me know !

 

Ray

 

 

 

 

Hi Ray,

 

Thanks for your reply.

 

This is a lot deeper than relative/absolute paths for images...

 

I always use the relative path, especially when it comes to SSL sites.

 

Its actually a lot more deeper in the code, whereby the $request_type variable was being set to NONSSL for both HTTP and HTTPS websites even though they were specified seperately in configure.php. With this being the case, the <base href> tag it the HTML HEAD of each page was being set to HTTP://<website> causing the browser to think SSL is turned off even though the address bar has HTTPS in it.

 

 

With the help of a friend who was a PHP Developer for 5 years, i've made the following change which has fixed the problem perfectly.

 

 

/includes/application_top.php - Line 42

Change this line:

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

To this line:

$request_type = ($_SERVER["SERVER_PORT"] == 443) ? 'SSL' : 'NONSSL';

 

 

This seems to have done the trick in fixing both the SSL Padlock issue and the <base href> HTML Tag Issue.

 

I have logged this as a bug report for future reference: http://www.oscommerce.com/community/bugs,3407/

 

 

Many thanks for your reply, and I hope this helps anyone else that's having the same issue

 

Thanks and Regards,

 

Ray Frangie

*links and email to non osCommerce, against forum rules*

Link to comment
Share on other sites

Actually, you would have found that fix if you had done a search of these forums for ssl issues. Your bug report is not valid, as it is not a bug within osCommerce - it is down to the way in which your hosting provider has their system set up to handle ssl. osCommerce cannot cover all possibilities for ssl and whilst port 443 is very often the ssl port it is not always the ssl port.

 

Vger

Link to comment
Share on other sites

Actually, you would have found that fix if you had done a search of these forums for ssl issues. Your bug report is not valid, as it is not a bug within osCommerce - it is down to the way in which your hosting provider has their system set up to handle ssl. osCommerce cannot cover all possibilities for ssl and whilst port 443 is very often the ssl port it is not always the ssl port.

 

Vger

 

 

It's my own dedicated box running Windows 2003 Server Enterprise Edition and IIS6

 

It was seen as a fault with all browsers even ones running on Linux.

 

Changing that line of code seems to have fixed the problem for all browsers.

Link to comment
Share on other sites

It's my own dedicated box running Windows 2003 Server Enterprise Edition and IIS6

 

It was seen as a fault with all browsers even ones running on Linux.

 

Changing that line of code seems to have fixed the problem for all browsers.

Of course. It's not a browser issue.

 

See:

 

http://www.oscommerce.com/forums/index.php?sho...23entry672623

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

  • 4 years later...

With the help of a friend who was a PHP Developer for 5 years, i've made the following change which has fixed the problem perfectly.

 

/includes/application_top.php - Line 42

Change this line:

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

To this line:

$request_type = ($_SERVER["SERVER_PORT"] == 443) ? 'SSL' : 'NONSSL';

I seem to recall hearing that IIS returns getenv('HTTPS') as 1 and not on. osC should really check both forms! So yes, it could be called a bug (of sorts) in osC. Maybe something like:

$env_HTTPS = getenv('HTTPS');
$request_type = ($env_HTTPS == 'on' || $env_HTTPS == '1') ? 'SSL' : 'NONSSL';

 

I've seen conflicting information on how IIS handles the HTTPS environment variable, so maybe someone more knowledgeable in the ways of IIS can speak on this? I don't know if there are any cases where $env_HTTPS will be unset or otherwise cause errors (is isset() needed?).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...