Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HTTPS but no gold padlock


livefooduk

Recommended Posts

Yes.

The getenv('HTTPS') isn't returning any / incorrect value...

so it always defaults to the HTTP_SERVER on ALL your pages...

which is weird since it's an environment variable....

 

What does phpinfo() say under SSL ?

 

It should have an [ HTTPS on ] on that page and I believe somehow it doesn't

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

  • Replies 111
  • Created
  • Last Reply

Okay.. no problem. You got me fooled then ;)

 

You create a file called phpinfo.php in your document root.

 

<?php

 // Powerfull scripting coming up... 

 phpinfo();

?>

 

That's it. Instant success. "Hey mom, look, I made this... " :D

 

Call it in SSL mode and regular mode. Once the page is loaded

hit CTRL-F and type HTTPS in the box.

It should be there on the SSL mode page... and it might be but your script is definetly not picking it up.

 

Let me know how that goes...

Mattice

 

PS Don't keep your phpinfo.php hanging about... it does contain some info you should consider sensitive. So remove it once you're ready with it.

 

Oh.. I remember the Admin has it implemented under Server Info.

But writing your own looks cooler :)

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

No HTTPS found :cry:

I did find this amongst other things

DOCUMENT_ROOT /homepages/4/d72430247/htdocs 

HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-gsarcade-launch, */* 

HTTP_ACCEPT_ENCODING gzip, deflate 

HTTP_ACCEPT_LANGUAGE en-us 

HTTP_CONNECTION close 

HTTP_HOST livefoodshop.co.uk 

HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 

HTTP_X_FORWARDED_FOR 217.134.235.66 

HTTP_X_FORWARDED_HOST sslrelay.com 

HTTP_X_FORWARDED_SERVER sslrelay.com 

..........................

REDIRECT_SCRIPT_URI http://livefoodshop.co.uk/phpinfo.php 

............................................

SCRIPT_FILENAME /homepages/4/d72430247/htdocs/phpinfo.php 

SCRIPT_URI http://livefoodshop.co.uk/phpinfo.php 

.........................................

SERVER_PROTOCOL HTTP/1.1

Best wishes

Steve

Link to comment
Share on other sites

Ahhhh.... it's nice to finally see what the problem is :D

 

Anyway... my proposed fix will work (setting all the SSL pages to 'base href HTTPS'... but you should really find out WHY it does not give you the HTTPS environment because it really should. I'm still thinking it has to do with the VirtualHost settings in your webserver configuration... or it could be something restrictive in PHP I do not know about... really can't tell. Perhaps an older PHP version (check your phpinfo.php file again)

 

It's not a big deal as the pages ARE encrypted... but would be nice to solve it properly.

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

If you are running a windows server, and running php as an asapi module, then getenv will not return correct values.

 

The advice as always to windows users is to ditch IIS and run apache. Not exactly a proper fix. There are ways of not relying on getenv, but I'm stlil looking at what different servers return for getenv, HTTP_SERVER_VARS, and _SERVER to completely understand how we cater for all possiblilities.

Trust me, I'm an Accountant.

Link to comment
Share on other sites

Ahhhh.... it's nice to finally see what the problem is :D  

 

Anyway... my proposed fix will work (setting all the SSL pages to 'base href HTTPS'... but you should really find out WHY it does not give you the HTTPS environment  because it really should. I'm still thinking it has to do with the VirtualHost settings in your webserver configuration... or it could be something restrictive in PHP I do not know about... really can't tell.  Perhaps an older PHP version (check your phpinfo.php file again)

 

It's not a big deal as the pages ARE encrypted... but would be nice to solve it properly.

PHP Version 4.1.1

Thank you for all the time you have taken on this for me, looks like I might have to get my own SSL certificate installed, do I need root access to do this?

Best wishes

Steve

Link to comment
Share on other sites

If you are running a windows server, and running php as an asapi module, then getenv will not return correct values.

 

The advice as always to windows users is to ditch  IIS and run apache. Not exactly a proper fix. There are ways of not relying on getenv, but I'm stlil looking at what different servers return for getenv, HTTP_SERVER_VARS, and _SERVER to completely understand how we cater for all possiblilities.

I am not running a windows server.

Apache/1.3.27 (Unix)

Best wishes

Steve

Link to comment
Share on other sites

Yeah... you'll probably need root access to change the httpd.conf (Apaches configuration file)

 

I'm not sure why the HTTPS env isn't there.

 

I also thought of another possible fix...

create a php file like this:

echo 'HTTPS is: ' . $HTTP_SERVER_VARS['HTTPS']

 

call that in https:// mode and see if it gives you something

if so you can replace the getenv with that.

 

Regards,

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

If you are running a windows server, and running php as an asapi module, then getenv will not return correct values.

 

The advice as always to windows users is to ditch  IIS and run apache. Not exactly a proper fix.

but a wise decision though :D

 

There are ways of not relying on getenv, but I'm stlil looking at what different servers return for getenv, HTTP_SERVER_VARS, and _SERVER to completely understand how we cater for all possiblilities.

 

I just noticed you allready gave my 'new' solution ... :D

Couldn't you just double check? If php version < superglobal aware check for getenv and HTTP_SERVER_VARS, if > check _SERVER?

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

If you are running a windows server, and running php as an asapi module, then getenv will not return correct values.

 

The advice as always to windows users is to ditch  IIS and run apache. Not exactly a proper fix.

but a wise decision though :D

 

There are ways of not relying on getenv, but I'm stlil looking at what different servers return for getenv, HTTP_SERVER_VARS, and _SERVER to completely understand how we cater for all possiblilities.

 

I just noticed you allready gave my 'new' solution ... :D

Couldn't you just double check? If php version < superglobal aware check for getenv and HTTP_SERVER_VARS, if > check _SERVER?

Sounds good but you forget I am very new to all this :oops: how and where would I put that?

Best wishes

Steve

Link to comment
Share on other sites

create a php file like this:

<?php



echo 'HTTPS is: ' . $HTTP_SERVER_VARS['HTTPS'];



?>

 

call that in https:// mode and see if it gives you something

if so you can replace the getenv with that.

 

Regards,

Mattice

 

did you try that yet?

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

As you don't have the _SERVER global in your version of PHP you don't have to try that one.

 

Ehm.. another trick that might do it (can't test so can't tell)

 

Create another php file (Ha! you'll be a coder by the end of this thread)

<?php

//test.php



echo $SERVER_NAME;

?>

 

Call that with https://sslrelay.com/livefoodukshop/test.php

 

If the outcome is 'sslrelay.com' (I think it will be) you place the following

in your application_top.php (somewhere at the end):

 

 if ($SERVER_NAME  == 'sslrelay.com') {

  define('HTTPS', 'on');

}

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Unfortunately it returns: livefoodshop.co.uk for both https://sslrelay.com/livefoodshop.co.uk/test.php and http://www.livefoodshop.co.uk/test.php but I think this could give me a solution as I could register the domain www.livefoodshop.biz also and have that point to the same directory as www.livefoodshop.co.uk and then set up my sslrelay thing to point to https://sslrelay.com/livefoodshop.biz then do your test above and then have

if ($SERVER_NAME  == 'livefoodshop.biz') { 

  define('HTTPS', 'on'); 

}

I am quite excited now :D

Best wishes

Steve

Link to comment
Share on other sites

I'm not sure wether that should work as $SERVER_NAME needs to return the ..well server name ;).

You can set this in your VirtualHost setting: in httpd.conf use directive ServerName

So you might just want to ask if your provider can do that for you.

 

Get a DNS alias for secure.livefoodshop.co.uk and point that to sslrelay.com/livefoodshop.co.uk. Set the ServerName directive and you're on your way...

 

In any case my solution of forcing osC to use the HTTPS as <base href> will be good enough.

It's what should happen with the if /else getenv() code anyway.

So you just force it on about 10 pages that require SSL.

Saves you some money... Think about the benefits...

Get yourself some more frozen rodents for Xmas! :D

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Just tried it on my main site which can be reached by www.reptileweb.co.uk as well as www.livefood.co.uk uploaded 1 file test.php to htdocs and

http://www.reptileweb.co.uk/test.php returns reptileweb.co.uk

and

http://www.livefood.co.uk/test.php returns livefood.co.uk

So it looks like the secure.livefoodshop.co.uk option will work :D

Many thanks for all your time, I will let you know how I get on.

Best wishes

Steve

Link to comment
Share on other sites

Yeah it should, but only if you have them set the ServerName directive for it.

And it will look a lot cleaner then the sslrelay.com link.

 

Regards,

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Right I now have

https://sslrelay.com/secure.livefoodshop.co....co.uk/test.php returns:

secure.livefoodshop.co.uk

And

http://www.livefoodshop.co.uk/test.php returns:

livefoodshop.co.uk

so I put

if ($SERVER_NAME  == 'secure.livefoodshop.co.uk') { 

  define('HTTPS', 'on'); 

}

near the bottom of aplication_top.php but I still don't get the gold padlock :cry:

Do I need to change anything in

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

Best wishes

Steve

Link to comment
Share on other sites

Hey Steve, I am using 1&1 as my webhost as well and this is exactly what I have done to get it working:

 

1) Made sure that my /catalog/includes/configure.php is correct. Looking at your site it seems to be correct becuase when I click login it takes me though the secure server, so you dont need to worry about that.

 

2) Opened catalog/login.php and modified the 71st line to

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTP_SERVER : HTTPS_SERVER) . DIR_WS_CATALOG; ?>">

 

3) Repeat setp 2 for every page I want displayed with the little padlock: account.php, account_edit.php, checkout_payment.php and so on.

 

That's it! I have not changed anything else. If you still have a problem with this maybe its your configure.php becuase I remember having problems with that before. Let me know and I will post mine for you to compare.

Link to comment
Share on other sites

Right I now have

https://sslrelay.com/secure.livefoodshop.co....co.uk/test.php returns:

secure.livefoodshop.co.uk

And

http://www.livefoodshop.co.uk/test.php returns:

livefoodshop.co.uk

so I put  

if ($SERVER_NAME  == 'secure.livefoodshop.co.uk') { 

  define('HTTPS', 'on'); 

}

near the bottom of aplication_top.php but I still don't get the gold padlock  :cry:  

Do I need to change anything in

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

 

oh damn.. stupid of me.. it doesn't swallow the define as an environment variable :oops:

Seems you will still have to edit the files anyway...

Drop the application_top bit and edit any file that needs SSL and change to:

<base href="<?php echo HTTPS_SERVER . DIR_WS_CATALOG; ?>">

 

And for anyone wondering (where is everybody anyway?):

AFAIK putenv() will only work if you're server is running PHP in safe mode.

And even then it must be specifically allowed to set the variable...

 

Ahh... it could have been so beautiful... :(

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Hey Steve, I am using 1&1 as my webhost as well and this is exactly what I have done to get it working:

 

1) Made sure that my /catalog/includes/configure.php is correct. Looking at your site it seems to be correct becuase when I click login it takes me though the secure server, so you dont need to worry about that.

 

2) Opened catalog/login.php and modified the 71st line to  

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTP_SERVER : HTTPS_SERVER) . DIR_WS_CATALOG; ?>">

 

3) Repeat setp 2 for every page I want displayed with the little padlock: account.php, account_edit.php, checkout_payment.php and so on.  

 

That's it! I have not changed anything else. If you still have a problem with this maybe its your configure.php becuase I remember having problems with that before. Let me know and I will post mine for you to compare.

 

What you do with that code is tell it to look for the env HTTPS (which doesn't exist) so then it always defaults to HTTPS_SERVER... It's reversed logic and it does a useless (as we know the outcome allready) check on every SSL page.... But the result is correct.. that's true ;)

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Ahh... it could have been so beautiful... :(

I know I was excited about that too :cry:

I have changed all the https pages to

<base href="<?php echo HTTPS_SERVER . DIR_WS_CATALOG; ?>">

but will that give me the same effect as if it had worked properly on my server with the original OSC code, because now I get the security alert after loging in ie. after I log in it takes me to https://sslrelay.com/secure.livefoodshop.co...log/default.php and not http://www.livefoodshop.co.uk/catalog/default.php

Best wishes

Steve

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...