Seren2 Posted June 4, 2007 Share Posted June 4, 2007 *** For real smarty pants only! *** Why is this making us crazy? We can't reproduce the problems on our end! We've had our internal staff and an outside agency tackle this, so this is probably not a task for a newbie. Jump to The Gory Details if you want to help. When you visit our cart (http://www.madisound.com/catalog/) you will probably have no problems at all. There are, however, a small percentage of customers reporting access issues to product pages, to cart accounts, and to product pages. A product link that works for us, but not for some: http://www.madisound.com/catalog/product_i...roducts_id=8175. The Gory Details osCommerce admin settings: JPG will screen shots of admin settings for logging, cache, session, http://www.madisound.com/images/madisound_osc_settings.gif. Absolute path to cart: /nfs/webhosting0/sites/m/a/www.madisound.com/jail/web/catalog This differs from the setting in the configure files below, but the cart has been working (mostly). What goes wrong? Attempts at customer login resolved to cart home without logging a customer in; correct username/password combo verified. Attempts to navigate though cart fail entirely, leaving customer at login page. Attempts to follow links to products fail, leaving We didn't discover this issue until we went live. We can detect no pattern concerning cookies, browsers, sessions, or SSL. Is this a clue? Error logs from our Apache server This looks fishy: [Thu May 24 04:05:36 2007] [error] [client 68.97.18.155] sh: chmod: not found, referer: http://www.madisound.com/catalog/index.php?cPath=356 There are a bunch of lines like this. Somehow the script is trying to chmod files (change permissions). That might not be normal. - Here's another entry: [Thu May 24 20:34:53 2007] [error] [client 71.129.85.27] sh: chmod: not found, referer: https://www.madisound.com/catalog/create_account.php Is this right? Code from /catalog/admin/includes/configure.php define('HTTP_SERVER', 'http://www.madisound.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://www.madisound.com'); define('HTTPS_CATALOG_SERVER', 'https://www.madisound.com'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', '/web/catalog/'); // where the pages are located on the server define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required define('DIR_FS_ADMIN', '/web/catalog/admin/'); // absolute pate required define('DIR_WS_CATALOG', '/catalog/'); // absolute path required define('DIR_FS_CATALOG', '/web/catalog/'); // absolute path required define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); Is this right? Code from /catalog/includes/configure.php define('HTTP_SERVER', 'http://www.madisound.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.madisound.com'); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.madisound.com'); define('HTTPS_COOKIE_DOMAIN', 'www.madisound.com'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_PDF', 'PDF/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); Problem solving is a lifestyle, not an isolated activity. Link to comment Share on other sites More sharing options...
Guest Posted June 5, 2007 Share Posted June 5, 2007 Prevent Spider Sessions should be set to true, Recreate Session to true, Check IP Address now why you want to do that kind of session validation? Try setting this to false unless you know what you're doing. Use the search engines see if your urls are indexed with sessions. If so install the session regeneration module. And install the latest spiders.txt http://www.oscommerce.com/community/contributions,2455 http://www.oscommerce.com/community/contributions,4112 Link to comment Share on other sites More sharing options...
Seren2 Posted June 5, 2007 Author Share Posted June 5, 2007 ...Check IP Address now why you want to do that kind of session validation? Try setting this to false unless you know what you're doing.... Well, I may not know what I'm doing :) but we use IP addresses to check for a particular kind of fraud. Knowing that, would you still recommend that I turn it off? Problem solving is a lifestyle, not an isolated activity. Link to comment Share on other sites More sharing options...
Guest Posted June 5, 2007 Share Posted June 5, 2007 Well, I may not know what I'm doing :) but we use IP addresses to check for a particular kind of fraud. Knowing that, would you still recommend that I turn it off? that switch is to validate the ip with each request. Why you think it will prevent fraud? if you want to ban ips use one of the contributions http://www.oscommerce.com/community/contributions,2532 http://www.oscommerce.com/community/contributions,1561 here is one for cc's http://www.oscommerce.com/community/contributions,3614 Link to comment Share on other sites More sharing options...
Seren2 Posted June 7, 2007 Author Share Posted June 7, 2007 Prevent Spider Sessions should be set to true, Recreate Session to true, Check IP Address now why you want to do that kind of session validation? Try setting this to false unless you know what you're doing. Use the search engines see if your urls are indexed with sessions. If so install the session regeneration module. And install the latest spiders.txt..... Partial fix but some customers are still having trouble with the cart, esp. the checkout pages I followed the suggestions of enigma1 and have made some progress toward fixing the cart, i.e. I installed new a spiders.txt file and updated sessions.php. One customer who had the issues [described in the first post of the forum] now got as far as /catalog/checkout_shipping.php and reported the following... "When I hit the Next button on one of the checkout pages it just keeps refreshing the page rather than going to the next page. Similar to the login problem I had (which is now fine)." I still suspect SSL is to blame and now have evidence... Firefox on checkout page http://www.madisound.com/webteam/images/ff-checkout.gif IE on login http://www.madisound.com/webteam/images/ie-login.gif IE on checkout shipping http://www.madisound.com/webteam/images/ie...ut_shipping.gif In reference to the error on the last image of /catalog/checkout_shipping.php: if ($order->content_type == 'virtual') { if (!tep_session_is_registered('shipping')) tep_session_register('shipping'); $shipping = false; $sendto = false; tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL')); } // line 56 Problem solving is a lifestyle, not an isolated activity. Link to comment Share on other sites More sharing options...
Seren2 Posted June 15, 2007 Author Share Posted June 15, 2007 In addition to the help here, I was also able to find another area of problems. Make all links relative = eliminated partially unsecured pages Remove the "base href" from all of your osCommerce pages = get around Apache server setting that messed with osCommerce (see tech note below tech support sez, the problem is that the customer is looking for an environment variable that isn't being set. see catalog/includes/application_top.php line 41. "HTTPS" is an environment variable traditionally set by the mod_ssl module of apache. however, our ssl handling is done in the f5 load balancers, so none of those variables will exist on the web hosting servers. anyway, the customer is using this to generate absolute URLs to images and links. see catalog/create_account.php line 263. the "base" tag is setting the URL offset for all future "img" and "a" tags. Because the "HTTPS" variable is not being set, the default is to use "http://www.madisound.com/..." which gets prepended to the "img" and "a" tags. These images are then loaded from the non-secure "http" site, which is most likely why your page comes up with errors saying "this page contains both secure and non-secure items". This is generally not a best practice. The customer should remove this base tag and use relative URLs instead. It makes the code more portable and durable. Problem solving is a lifestyle, not an isolated activity. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.