Session ID & Cookies - how should I set it up?

[failsafe]

Hi,

 

In my 'infinite wisdom' I decided to choose a slightly different domain name when I ordered my SSL certificate from that of my standard website. My thinking at the time was that when jumping to the secure checkout the word 'secure' in the domain name would give even greater confidence to customers.

 

Can someone please verify I've set my configure files up correctly for cookies and session IDs, or tell me how to do it properly if not.

 

Here's my current settings:

 

Standard catalog site: http://www.mydomain.co.uk/

SSL certificate & site: https://secure.mydomain.co.uk/

 

I set up my hosting so that both secure.mydomain.co.uk and www.mydomain.co.uk use the same physical files directory... /var/www/vhosts/mydomain.co.uk/catalog

 

Here are my configure.php files...

 

includes/configure.php:

  define('HTTP_SERVER', 'http://www.mydomain.co.uk');
 define('HTTPS_SERVER', 'https://secure.mydomain.co.uk');
 define('ENABLE_SSL', true);
 define('HTTP_COOKIE_DOMAIN', 'www.mydomain.co.uk');
 define('HTTPS_COOKIE_DOMAIN', 'secure.mydomain.co.uk');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '/');

 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', $_SERVER['DOCUMENT_ROOT'] . '/');  # add trailing / as DOCUMENT_ROOT doesn't have one
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 define('DB_SERVER', 'mydbserverdomain.co.uk');
 define('DB_SERVER_USERNAME', 'xxxxxx');
 define('DB_SERVER_PASSWORD', 'xxxxxx');
 define('DB_DATABASE', 'xxxxxx');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', 'mysql');

 

admin/includes/configure.php:

  define('HTTP_SERVER', 'https://secure.mydomain.co.uk');		   <--- not sure why this is set like this... is it correct?
 define('HTTP_CATALOG_SERVER', 'http://www.mydomain.co.uk');
 define('HTTPS_CATALOG_SERVER', 'https://secure.mydomain.co.uk');
 define('ENABLE_SSL_CATALOG', 'true');
 define('DIR_FS_DOCUMENT_ROOT', $_SERVER['DOCUMENT_ROOT']);
 define('DIR_WS_ADMIN', '/admin/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . '/admin/');
 define('DIR_WS_CATALOG', '/');
 define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . '/');  # add trailing / as DOCUMENT_ROOT doesn't have one

 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 define('DB_SERVER', 'mydbserverdomain.co.uk');
 define('DB_SERVER_USERNAME', 'xxxxxx');
 define('DB_SERVER_PASSWORD', 'xxxxxx');
 define('DB_DATABASE', 'xxxxxx');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', 'mysql');

 

In the database I've set:

USE_CACHE: false

DIR_FS_CACHE: /tmp/

SESSION_WRITE_DIRECTORY: /tmp

SESSION_FORCE_COOKIE_USE: False

SESSION_CHECK_SSL_SESSION_ID: False

SESSION_CHECK_USER_AGENT: False

SESSION_CHECK_IP_ADDRESS: False

SESSION_BLOCK_SPIDERS: True (and includes/spiders.txt is set up correctly)

SESSION_RECREATE: True

 

Thanks in advance for any comments on how I can configure this better or more securely.

[Jack_mcs]

The ssl should work fine in the shop with those settings. For the admin, you need to change

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.co.uk');

to use the secure url if you want it to work correctly.

 

Jack

[failsafe]

The ssl should work fine in the shop with those settings. For the admin, you need to change

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.co.uk');

to use the secure url if you want it to work correctly.

 

Jack

Thank you very much Jack.

 

I've looked at setting

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.co.uk');

to be

define('HTTP_CATALOG_SERVER', 'https://secure.mydomain.co.uk');

and I don't think that change would work correctly. Are you sure?

 

If I change it, then the link to "Online Catalog" in the admin header then gets a link to the secure site, whereas surely it should link to the NONSSL shop.

However, if I don't make the change then the file admin/reviews.php seems to try to pick up NONSSL images, but it appears that's the only place things 'go wrong' at the moment.

 

It looks to me that some of the logic in the osC admin area is a bit buggy w.r.t. SSL or NONSSL matters. For example, rather than set HTTP_CATALOG_SERVER to point to secure website, wouldn't it be better to correct the places in reviews.php where it tries to pick up an image from the wrong server?

 

Just a thought!

[Jack_mcs]

Yes, that is correct. It is how the admin is coded. There is a contribution, admin secure I think, that allows you to secure only certain sections in admin. But without it, you need to change all of the links to secure which, in your case, means you would have to access admin using the ssl url instead of the domain name.

 

Jack