Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL Implementation Help


germ

Recommended Posts

A thread dedicated to those with problems implementing SSL in their stores.

 

First stop: Read this:

 

How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions

 

That thread contains the basics on modifying your /includes/configure.php file to enable SSL.

 

Common mistakes YOU can make that prevent SSL from working:

 

1. Forgetting to make the HTTPS_SERVER define with https in the URL.

Correct:

 

  define('HTTPS_SERVER', 'https://yourdomain.com');

Incorrect:

 

  define('HTTPS_SERVER', 'http://yourdomain.com');

If you can't see the difference - LOOK CLOSER!

 

2. Forgetting to enable SSL in the configure file.

This turns it ON:

 

  define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

This turns it OFF:

 

  define('ENABLE_SSL', 'false'); // secure webserver for checkout procedure?

3. Modifying the configure file on your local PC then NOT making sure the new one gets to the store website.

If you modify it locally and use FTP, Dreamweaver, Frontpage, or whatever, to transfer it to your site MAKE CERTAIN THE MODIFIED VERSION GETS TO YOUR SITE!!!

Sometimes file permissions can prevent a successful transfer to your website.

 

4. Not checking for and examining the contents of /includes/local/configure.php if it exists on your site.

This file isn't present on all installs, but if it is, ANYTHING IN IT OVERRRIDES ANYTHING IN THE "NORMAL" CONFIGURE FILE!!

Check for it, and if found examine it's contents.

It may not look like the normal configure file in one respect:

 

  define('ENABLE_SSL', 1);

The define for ENABLE_SSL may have a 1 or a 0 instead of true or false. If so, remember that 1 = true, 0 = false.

 

OK.

 

So you've done all that and it still doesn't work. All your images are X!

 

This probably means osC isn't getting the cue from the server that SSL is active.

 

The code that tests to see if SSL is active is in /includes/application_top.php around like 41:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Unfortunately this doesn't work an all servers.

 

If you're on "1 and 1" Hosting, this usually works:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

If it's a Windowz server, try this:

 

// set the type of request (secure or not)
 $request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';

If neither of those are true for you try this:

 

// set the type of request (secure or not)
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

Always backup any file on your site before making any edits.

 

A file that doesn't work quite like you want it to is better than one that won't work at all.

 

And sometimes none of those settings work.

 

I've written a few programs to assist in debugging, and implementation of SSL and have made a contribution of them.

 

I will post a link to it and a brief explanation after it's uploaded.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • Replies 414
  • Created
  • Last Reply

The contribution:

 

SSL Help

 

This contribution has 3 files:

 

cfgchk.php - Examines your catalog configure file(s) for possible errors that would prevent SSL from working.

 

myenv.php - A program that displays common server settings used in SSL (the original was not my work- see the credit in the file).

 

mybigenv.php - A more comprehensive program that displays server settings that might be used in SSL implementation.

 

There is no "install", just copy the files into your "catalog" folder and access them with your browser.

 

myenv.php and mybigenv.php both use a javascript popup window so if you have a popup blocker installed you may have to disable it temporarily.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks for the contribution :)

 

Except for an SSL warning in IE at index.php, my SSL works, but when i ran the myenv.php i got the following:

 

NONSSL Variables

 

HTTP HOST: [xxxxx.net]

 

Server Port: [80]

 

SSL Status: [undefined!]

 

Fowarded Server: [undefined!]

 

Fowarded Host: [undefined!]

 

Fowarded By: [undefined!]

 

$_SERVER['HTTPS']: [undefined!]

 

Is this normal?

 

 

Kind regards,

floyd.

Link to comment
Share on other sites

Looks normal.

 

So what was in the SSL popup window?

:unsure:

 

The program produces a small popup window showing the same variables with SSL active (or it tries to anyway).

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Looks normal.

 

So what was in the SSL popup window?

:unsure:

 

The program produces a small popup window showing the same variables with SSL active (or it tries to anyway).

 

When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items".

 

I tracked down every component which had http hardcoded, but I still get this warning...

Link to comment
Share on other sites

The warning means you have scripts or images loading from HTTP sources in your PHP or your stylesheet.

 

If you PM me your URL I could find it for you.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items".

 

I tracked down every component which had http hardcoded, but I still get this warning...

<div id="flash_carousel_container">		
<div id="flash_carousel">
	<a href="http://www.adobe.com/go/getflashplayer">

		[b]<img src="[color="#FF0000"]http:[/color]//www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />[/b]
	</a>
</div>
</div>

That will cause SSL problems.

:o

 

Try the same code but with a https URL.

;)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Then after installing SSL you get the dreaded "This page contains secure and nonsecure items" when viewing the site in IE!

:(

 

I've added a file to the package named unsecure.php that you can use to help find the "nonsecure items".

 

I've tested it on about a dozen different sites/pages and it does an excellent job.

 

Out of all the posts I've helped find "nonsecure items", this program would probably have worked perfectly on about 98 to 99 percent of the sites.

 

It's not "bullet-proof", but few programs can make that claim.

:)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I tried all of the suggestions and I still can not get the SSL to work. I do not appear to have a local file so that is not the issue. The only thing I can think of is the SSL cert. is located in the wrong place. My SSL cert is located in under the home root directory. Should it be located in the public_html directory?

Link to comment
Share on other sites

Ask your host.

 

That is dependant on the way the server is setup.

 

If you want me to take a peek and possibly make recommendations you'll have to post (or PM me) your URL.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

<div id="flash_carousel_container">		
<div id="flash_carousel">
	<a href="http://www.adobe.com/go/getflashplayer">

		[b]<img src="[color="#FF0000"]http:[/color]//www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />[/b]
	</a>
</div>
</div>

That will cause SSL problems.

:o

 

Try the same code but with a https URL.

;)

 

Thanks, it's working now :)

Link to comment
Share on other sites

Hi Jim,

 

My SSL implementation was working fine till about one week ago when I had to change the secure address.

I use shared SSL and it seems that every time I access a page through the secure address it tries to load the images and the stylesheet file from the unsecure address and the anoying IE message keep being displayed.

I tried all your tips listed here, but nothing solved this problem :-(.

I would be very grateful if could take a look on my shop and give a reply.

 

My url is http://www.plixx.com.br/loja/

 

The secure url is https://plixxcbr.acessoseguro.net/loja/

 

Thank you in advance,

 

PS.: Your files cfgchk.php, mybigenv.php, myenv.php and unsecure.php are still on my shop. You can acess then through http://www.plixx.com.br/loja/cfgchk.php

Link to comment
Share on other sites

Well you just uncovered a bug in the code.

:blush:

 

It works on the site I manage flawlessly, but on yours some of the popup windows reload continuously...

:(

 

That would be because the session between HTTP and HTTPS isn't getting shared.

:blink:

 

I'll have to take a look at that.

:wacko:

 

When I get something together codewise would you be able to test it before I upload it as a new version of the contribution?

:unsure:

 

Anyway, using the code files I think I have a solution to your problem.

 

osC isn't recognizing the cue from the server that SSL is "on".

 

In your /includes/application_top.php find this code:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Change it to:

 

// set the type of request (secure or not)
//  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// added nonstandard code 24-apr-09
 $request_type = ($_SERVER['HTTP_HOST'] == 'plixxcbr.acessoseguro.net') ? 'SSL' : 'NONSSL';

BACKUP THE FILE BEFORE MAKING ANY EDITS.

 

I'll be waiting to hear how things go while I work on a code change to the contribution to prevent continuous page reloads.

;)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

New version uploaded.

 

Hopefully fixes the continous page reload of the popup.

 

I did some experimenting and believe it may be a result of incorrect cookie settings in the config file (I can't fix that).

 

Only time and a few more installs will tell.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Like my last post said, it might be because of an incorrect cookie setting.

 

What do you have for this in the configure file:

 

  define('HTTPS_COOKIE_DOMAIN', '');

:unsure:

 

It (still) works great on my site.

 

The reason it reloads is the session is lost.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hey there Jim I have a quick question. I am going to embed MP3 songs into my product desc. this coding has a url for a flash player that auto runs so people can hear the songs. How do i set this up with my SSL if the URL is not relative?

Pat

Link to comment
Share on other sites

None if the pages with the product description are SSL on osC so it won't matter.

 

The only ones that should be SSL are login, logout, any of the files dealing with account info or changes, and all the files thru the checkout process.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Uploaded new package.

 

Changes:

 

All files display version in the browser.

 

myenv.php and mybigenv.php don't use session variables any longer (prevents continuous page reloads).

 

cfgchk.php displays the permissions of the config file(s) and also checks for and displays HTTPS_COOKIE_DOMAIN.

 

unsecure.php now has a "glib" mode (displays all source HTML ).

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

When I run cfgchk.php I get this:

 

Found HTTPS_COOKIE_DOMAIN:

define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com');

HTTPS_COOKIE_DOMAIN line parsed!

 

Just wanted to find out if this was an error or not as the other two lines for SSL and HTTPS Server give the message of "passed check" and this says "line parsed". Please advise?

Link to comment
Share on other sites

I color coded the lines.

 

GREEN is GOOD

 

RED is BAD

 

That line is GREEN

 

(Hoping you're not colorblind)

 

It's just an informative message.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi

Clever tools you've created! Thanks! :)

 

I'm not sure why the file unsecure.php produces this message:

unsecure.php Version 1.1

 

Site not specified!

 

I might have misconfigured something or missed some instruction... I don't know. I simply point my browser to the unsecure.php. Would you mind shed some light, thank you!

Link to comment
Share on other sites

From the "read me" file included in the contrib:

 

unsecure.php - A program to help find "unsecure" items on SSL Pages. To test a page access the file with your browser like this:

http://www.yourdomain.com/unsecure.php?site=https://site.com

Or:

http://www.yourdomain.com/unsecure.php?site=https://site.com/page.php

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thank you! Sorry to have bothered you, should have noticed that.

 

I get "Unable to open..." etc, and I see that a hyphen in my shared ssl domain name is missing. It might be any of the security contributions that I'm using that are causing it?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...