SSL and insecure items

nspace · December 9, 2007

I just got my oscommerce setup on a secure server. The certificate and security seems to be working but the bar does not stay yellow at the top when in secure parts of the store (in firefox you get a padlock with a slash through it). I think it is because there is some insecure elements causing it not to be "fully" secure. I don't think I am using any hotlinked images so I am not sure what would be causing this.

You can see what I mean if you go to a page like the checkout one: https://www.psyclestore.com/login.php?osCsi...d0fe9cef50c4c78

Any ideas of how I can avoid this.

jhande · December 9, 2007

Hey Tom,

Open the includes > configure.php file and see if you have lines similar to the ones below. My guess is you're missing one. ;)

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'psyclestore.com');

define('HTTPS_COOKIE_DOMAIN', 'secure.hostname.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

Good luck!

nspace · December 9, 2007

Hey Tom,

Open the includes > configure.php file and see if you have lines similar to the ones below. My guess is you're missing one. ;)

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'psyclestore.com');

define('HTTPS_COOKIE_DOMAIN', 'secure.hostname.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

Good luck!

Hmm I checked all that and I think it is correct:

define('HTTP_SERVER', 'http://www.psyclestore.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.psyclestore.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'http://www.psyclestore.com');

define('HTTPS_COOKIE_DOMAIN', 'https://www.psyclestore.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

I think it is secure but something must be linking to an http:// reference or something and I am not sure what it would be, I can't seem to find anything that isn't relative.

♥FWR Media · December 9, 2007

Hmm I checked all that and I think it is correct:

define('HTTP_SERVER', 'http://www.psyclestore.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.psyclestore.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'http://www.psyclestore.com');

define('HTTPS_COOKIE_DOMAIN', 'https://www.psyclestore.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

I think it is secure but something must be linking to an http:// reference or something and I am not sure what it would be, I can't seem to find anything that isn't relative.

Your problem is ..

<base href="http://www.psyclestore.com/">

the base href should be https for a secure page.

Try changing in includes/application_top.php

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

to ...

  //$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
 $request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

If it works you'll also have to change tep_redirect in includes/functions/general.php

nspace · December 9, 2007

Your problem is ..

    if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page
     if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url
       $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL

     }
   }

to

    if ( (ENABLE_SSL == true) && (getenv('SERVER_PORT') == '443') ) { // We are loading an SSL page
     if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url
       $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL

     }
   }

Thanks!

♥FWR Media · December 9, 2007

is my second piece of code the correct modification?

Spot on!

SSL and insecure items

Recommended Posts

nspace

jhande

nspace

♥FWR Media

nspace

♥FWR Media

Archived

Browse

Activity