Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Security Problem

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

I have hunted and hunted for the fix to this problem, but no luck sooo.... If I do the following I get redirected to a NONSSL checkout_payment.php instead of the desired SSL page.

 

1. create an account

2. log-off

3. add an item to cart

4. hit checkout button without logging in so I am sent to login.php

5. login to account using e-mail etc. it redirects to a non-secure checkout_payment.php page

 

This is the only way this problem happens and does not exsist for new accounts or if you login before trying to checkout. If I hit "no" on the security alert and then click on login again I am then redirected to a secure default page. The problem is also remedied if, rather than enter the credit card into a nonsecure page, I go to another page first and then back to the checkout. Basically a returning customer cannot get a secure checkout unless they login before hitting the checkout button. Is there an easy fix to this problem out there somewhere? Please feel free to play around with this on my site to see what I mean (just use "Please Delete" as your name when setting up account).

 

Just for reference my catalog/login.php looks like this: (I use a Sept. 10th snapshot)

 

if (sizeof($navigation->snapshot) > 0) {

         $origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name()), 'SSL') . $navigation->snapshot['mode']);

         $navigation->clear_snapshot();

         tep_redirect($origin_href);

       } else {

         tep_redirect(tep_href_link(FILENAME_DEFAULT,'', 'SSL'));

 

and my "notify" section of catalog/includes/application_top.php is:

 

if (tep_session_is_registered('customer_id')) {

                               if ($HTTP_GET_VARS['products_id']) {

                                 $notify = array($HTTP_GET_VARS['products_id']);

                               } elseif ($HTTP_POST_VARS['notify']) {

                                 $notify = $HTTP_POST_VARS['notify'];

                               } else {

                                 tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action')), 'SSL'));

                               }

                               for ($i=0; $i<sizeof($notify); $i++) {

                                 $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'");

                                 $check = tep_db_fetch_array($check_query);

                                 if ($check['count'] < 1) {

                                   tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())");

                                 }

                               }

                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action','notify')), 'SSL'));

                             } else {

                               $navigation->set_snapshot();

                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

                             }

                             break;

 

Any suggestions would be more than welcomed! :) As of right now, my options seem to be to update to new checkout which I hesitate to do since I need the CCV contribution, or to add the autologin contribution which would probably go quite far in solving the problem.

Guest

Guest

Posted
Posted

Just decided I would change the redirect of $origin_href over to sending them back to the shopping cart in SSL. Just replaced with 

          tep_redirect(tep_href_link(FILENAME_SHOPPING_CART,'', 'SSL'));

This creates the problem of if they login earlier sending them to an empty cart, but IMO it beats risking them entering their CC into a non-secure site.

Guest

Guest

Posted
Posted
This creates the problem of if they login earlier sending them to an empty cart, but IMO it beats risking them entering their CC into a non-secure site.

 

Hehe, I guess this is easy enough to fix as well so I suppose there was no need for this thread. :oops: Unless of course there are others who will find the same problem in older snapshots. Anyhooo my catalog/login.php was just changed to this:

 

// Added: Check if there is something in the cart

 if ($cart->count_contents() == 0) {

   tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'SSL'));

 }

// restore cart contents

       $cart->restore_contents();



       if (sizeof($navigation->snapshot) > 0) {

         $origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name()), 'SSL') . $navigation->snapshot['mode']);

         tep_redirect(tep_href_link(FILENAME_SHOPPING_CART,'', 'SSL'));

         $navigation->clear_snapshot();

       } else {

         tep_redirect(tep_href_link(FILENAME_DEFAULT,'', 'SSL'));  //Added

       }

     }

   }

 }

 

If a returning customer logs in with nothing in the cart they are just sent to the default page. If they perform the original problem scenario and try to checkout before logging in they are just sent back to the cart after login. I am a happy camper now anyway! Doing!!!

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...