Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Customers Can't Access Account; Customers Can't Visit Product Pages; Guests Can't Browse Cart


Seren2

Recommended Posts

*** For real smarty pants only! ***

 

Why is this making us crazy?

We can't reproduce the problems on our end! We've had our internal staff and an outside agency tackle this, so this is probably not a task for a newbie. Jump to The Gory Details if you want to help.

 

When you visit our cart (http://www.madisound.com/catalog/) you will probably have no problems at all. There are, however, a small percentage of customers reporting access issues to product pages, to cart accounts, and to product pages. A product link that works for us, but not for some: http://www.madisound.com/catalog/product_i...roducts_id=8175.

 

The Gory Details

 

osCommerce admin settings: JPG will screen shots of admin settings for logging, cache, session, http://www.madisound.com/images/madisound_osc_settings.gif.

 

Absolute path to cart: /nfs/webhosting0/sites/m/a/www.madisound.com/jail/web/catalog

This differs from the setting in the configure files below, but the cart has been working (mostly).

What goes wrong?

  1. Attempts at customer login resolved to cart home without logging a customer in; correct username/password combo verified.
  2. Attempts to navigate though cart fail entirely, leaving customer at login page.
  3. Attempts to follow links to products fail, leaving

We didn't discover this issue until we went live. We can detect no pattern concerning cookies, browsers, sessions, or SSL.

 

Is this a clue? Error logs from our Apache server

 

This looks fishy:

[Thu May 24 04:05:36 2007] [error] [client 68.97.18.155] sh: chmod: not

found, referer: http://www.madisound.com/catalog/index.php?cPath=356

 

There are a bunch of lines like this. Somehow the script is trying to chmod files (change permissions). That might not be normal.

 

- Here's another entry: [Thu May 24 20:34:53 2007] [error] [client 71.129.85.27] sh: chmod: not

found, referer: https://www.madisound.com/catalog/create_account.php

Is this right? Code from /catalog/admin/includes/configure.php

 

  define('HTTP_SERVER', 'http://www.madisound.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers
 define('HTTP_CATALOG_SERVER', 'http://www.madisound.com');
 define('HTTPS_CATALOG_SERVER', 'https://www.madisound.com');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', '/web/catalog/'); // where the pages are located on the server
 define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required
 define('DIR_FS_ADMIN', '/web/catalog/admin/'); // absolute pate required
 define('DIR_WS_CATALOG', '/catalog/'); // absolute path required
 define('DIR_FS_CATALOG', '/web/catalog/'); // absolute path required
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

 

Is this right? Code from /catalog/includes/configure.php

define('HTTP_SERVER', 'http://www.madisound.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://www.madisound.com'); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers
 define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.madisound.com');
 define('HTTPS_COOKIE_DOMAIN', 'www.madisound.com');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');
 define('DIR_WS_HTTP_CATALOG', '/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/catalog/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_PDF', 'PDF/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

Problem solving is a lifestyle, not an isolated activity.

Link to comment
Share on other sites

Prevent Spider Sessions should be set to true, Recreate Session to true, Check IP Address now why you want to do that kind of session validation? Try setting this to false unless you know what you're doing.

 

Use the search engines see if your urls are indexed with sessions. If so install the session regeneration module. And install the latest spiders.txt

 

http://www.oscommerce.com/community/contributions,2455

http://www.oscommerce.com/community/contributions,4112

Link to comment
Share on other sites

...Check IP Address now why you want to do that kind of session validation? Try setting this to false unless you know what you're doing....

Well, I may not know what I'm doing :) but we use IP addresses to check for a particular kind of fraud. Knowing that, would you still recommend that I turn it off?

Problem solving is a lifestyle, not an isolated activity.

Link to comment
Share on other sites

Well, I may not know what I'm doing :) but we use IP addresses to check for a particular kind of fraud. Knowing that, would you still recommend that I turn it off?

that switch is to validate the ip with each request. Why you think it will prevent fraud?

 

if you want to ban ips use one of the contributions

http://www.oscommerce.com/community/contributions,2532

http://www.oscommerce.com/community/contributions,1561

 

here is one for cc's

http://www.oscommerce.com/community/contributions,3614

Link to comment
Share on other sites

Prevent Spider Sessions should be set to true, Recreate Session to true, Check IP Address now why you want to do that kind of session validation? Try setting this to false unless you know what you're doing. Use the search engines see if your urls are indexed with sessions. If so install the session regeneration module. And install the latest spiders.txt.....

Partial fix but some customers are still having trouble with the cart, esp. the checkout pages

  1. I followed the suggestions of enigma1 and have made some progress toward fixing the cart, i.e. I installed new a spiders.txt file and updated sessions.php.
  2. One customer who had the issues [described in the first post of the forum] now got as far as /catalog/checkout_shipping.php and reported the following... "When I hit the Next button on one of the checkout pages it just keeps refreshing the page rather than going to the next page. Similar to the login problem I had (which is now fine)."

I still suspect SSL is to blame and now have evidence...

In reference to the error on the last image of /catalog/checkout_shipping.php:

if ($order->content_type == 'virtual') {
 if (!tep_session_is_registered('shipping')) tep_session_register('shipping');
 $shipping = false;
 $sendto = false;
 tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL'));
}        // line 56

Problem solving is a lifestyle, not an isolated activity.

Link to comment
Share on other sites

In addition to the help here, I was also able to find another area of problems.

  1. Make all links relative = eliminated partially unsecured pages
  2. Remove the "base href" from all of your osCommerce pages = get around Apache server setting that messed with osCommerce (see tech note below

tech support sez, the problem is that the customer is looking for an environment variable that isn't being set. see catalog/includes/application_top.php line 41. "HTTPS" is an environment variable traditionally set by the mod_ssl module of apache. however,
our ssl handling is done in the f5 load balancers, so none of those variables will exist on the web hosting servers
. anyway, the customer is using this to generate absolute URLs to images and links.
see catalog/create_account.php line 263
. the "base" tag is setting the URL offset for all future "img" and "a" tags. Because the "HTTPS" variable is not being set, the default is to use "
which gets prepended to the "img" and "a" tags. These images are then loaded from the non-secure "http" site, which is most likely why your page comes up with errors saying "this page contains both secure and non-secure items". This is generally not a best practice. The customer should remove this base tag and use relative URLs instead. It makes the code more portable and durable.

Problem solving is a lifestyle, not an isolated activity.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...