Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Secure user logged out at a couple of points


marsupial

Recommended Posts

Hi,

 

I have shared SSL setup and if you select login or create new user or just go straight through checkout it works fine, the padlock is shown.

 

My problems are these:

 

1/ If a user enters the site but does not log in they can add an item to the cart, which is ok because when they go to checkout it asks for them to login. Problem is that after they login it says the cart is empty so when they click the return button the home page says "welcome guest" but the shopping cart shows they have 1 item in it. Upon trying to checkout again it asks to login and so the loop goes around.

 

2/ The biggest pain I am having is the fact that the user can login and do whatever they like pretty well secured but if they happen to click on the store log which takes them home it isn't https and therefore logs them out and says "welcome guest".

 

Can anybody advise?

 

Stephen

Link to comment
Share on other sites

In includes/configure.php neither your http nor https cookie domains should have either http:// or https:// in them.

 

Some examples:

 

http_cookie_domain = 'www.yourdomain.com' or just 'yourdomain.com'

 

https_cookie_domain with full ssl is same as above but must match how the ssl cert is issued (with or without www.)

 

https_cookie_domain for shared ssl = 'secure.yourhosts.com/yourdomain.com' or something like 'server9.yourhosts.com/~yourdomain'

 

Check with your hosts as to what the shared ssl should be.

 

If you have no ssl then leave https_cookie_domain blank - nothing between the two apostrophies.

 

Vger

Link to comment
Share on other sites

In includes/configure.php neither your http nor https cookie domains should have either http:// or https:// in them.

 

Some examples:

 

http_cookie_domain = 'www.yourdomain.com' or just 'yourdomain.com'

 

https_cookie_domain with full ssl is same as above but must match how the ssl cert is issued (with or without www.)

 

https_cookie_domain for shared ssl = 'secure.yourhosts.com/yourdomain.com' or something like 'server9.yourhosts.com/~yourdomain'

 

Check with your hosts as to what the shared ssl should be.

 

If you have no ssl then leave https_cookie_domain blank - nothing between the two apostrophies.

 

Vger

 

Vger I think I have everything set as you specified. I have removed things for security reasons but this is what I have and still it does the same thing.

 

<?php
/*
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://mydomain.com.au'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://myhost.com/~mybusiness'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', false); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'mydomain.com.au');
 define('HTTPS_COOKIE_DOMAIN', 'mydomain.com.au');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');
 define('DIR_WS_HTTP_CATALOG', '/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/catalog/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/mybusiness/public_html/catalog/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
 define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', 'mybusiness_osc1');
 define('DB_SERVER_PASSWORD', 'whatever');
 define('DB_DATABASE', 'mybusiness_osc1');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
?>

Link to comment
Share on other sites

Vger I think I have everything set as you specified. I have removed things for security reasons but this is what I have and still it does the same thing.

 

<?php
/*
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://mydomain.com.au'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://myhost.com/~mybusiness'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', false); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'mydomain.com.au');
 define('HTTPS_COOKIE_DOMAIN', 'mydomain.com.au');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');
 define('DIR_WS_HTTP_CATALOG', '/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/catalog/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/mybusiness/public_html/catalog/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
 define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', 'mybusiness_osc1');
 define('DB_SERVER_PASSWORD', 'whatever');
 define('DB_DATABASE', 'mybusiness_osc1');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
?>

Link to comment
Share on other sites

This started working ok and now for some reason has gone back to misbehaving. I can't make my site live when it is behaving like this.

 

The only thing I did last night was to change the permissions on the images folder to 755 for security reasons as suggested by another user on this forum.

 

Now it is as simple as if a user logs in they get thrown to the welcome screen which says "welcome <user name>" but as soon as the logged in user selects cart they are asked to log in again. Same if they log in and then select the header graphic which takes them hom it comes up with the login screen but if I select the header again it takes them home with "Welcome Guest".

 

I am at the end with this. I have spent some 40hrs getting the site to where it is ready to go live in a week and now this happens.

 

Can someone please help with any ideas as to what is going on?

Link to comment
Share on other sites

This started working ok and now for some reason has gone back to misbehaving. I can't make my site live when it is behaving like this.

 

The only thing I did last night was to change the permissions on the images folder to 755 for security reasons as suggested by another user on this forum.

 

Now it is as simple as if a user logs in they get thrown to the welcome screen which says "welcome <user name>" but as soon as the logged in user selects cart they are asked to log in again. Same if they log in and then select the header graphic which takes them hom it comes up with the login screen but if I select the header again it takes them home with "Welcome Guest".

 

I am at the end with this. I have spent some 40hrs getting the site to where it is ready to go live in a week and now this happens.

 

Can someone please help with any ideas as to what is going on?

 

Sometimes it pays not to listen to others but you gotta try.

The problem was the new permission settings and shared SSL together. Don't listen to anyone that says you can change the permissions on the image folder as it doesn't work. Leave them at 777 which is a very unfortunate thing.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...