SSL Implementation Help

[www.in.no]

@@germ

 

Thanks,

 

The setting is as that already.

 

Force Cookie Usage is False and Recreate Session is True

[germ]

Bizarre...

:wacko:

 

What I see is this:

 

After entering the site the session ID is in the URL for a few clicks. This is normal when "Force Cookie Usage" is false.

 

The site makes a cookie and the session ID is stored in the cookie and the session ID stops appearing in the URL. Normal operation again.

 

This is all on the HTTP side.

 

It all "goes south" when you click a link using HTTPS.

 

The session is lost (cart contents dumped) and the session ID starts appearing in the URL again.

 

Only this time it won't go away and sometimes changes with every click.

 

But the really unexplainable part is the site still has that cookie with the session ID in it, BUT the session ID stored in the cookie doen't match what's in URL!!!

 

I've never seen this behavior before and really have no idea even where to start to try to fix it.

:blush:

[www.in.no]

@@germ

 

I have tried it all.... but don't know what more to do, and if you don't see any errors then i wont for sure find any..

 

Is it a bug, not sure if it can be reproduced on different install!

Can it be server related?

 

I have seen references to the same problem on other cases, but most likely to bad configuration.

 

If you want to look more closely, i can pm you with ftp access...

 

Anyway, thanks for looking...

[www.in.no]

@@germ

 

I finally found out the error. After checking it all, and after thet you said that all looked ok i contacted my host and they gave me this answer.

I don't know if there are possibles to check for this in your tools for the future.. Or you can add it to the nessasery check points if other get the lost sessions.

 

And i big Thank you Jim for trying to sort this out..

 

The sessions are encrypted based on the url including https or http. This explains the difference. I've disabled this for you now so you should get the same on http and https.

[Guest]

I have been running 2.2 for a few years and just recently upgraded to 2.3.3 I am having a hell of a time getting SSL to work correctly. I checked my install about 30 times and it all looks good. I tested www.bytortruck.com on www.ssltest.net/ and it says it is fine. I can usually search the forums and find an answers to my problems but this time I need some help.

 

When I go to http://www.bytortruck.com/admin I get this error

 

Parse error: syntax error, unexpected T_STRING in /home/bytor/public_html/admin/includes/configure.php on line 6

 

When I open any Https page I get this error

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@bytortruck.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.bytortruck.com Port 443

[Guest]

Admin

 

<?php

define('HTTP_SERVER', 'https://www.bytortruck.com/');

define('HTTP_CATALOG_SERVER', 'https://www.bytortruck.com/');

define('HTTPS_CATALOG_SERVER', 'https://www.bytortruck.com/');

define('ENABLE_SSL_CATALOG', 'true);

define('DIR_FS_DOCUMENT_ROOT', '/home/bytor/public_html/');

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', '/home/bytor/public_html/admin/');

define('DIR_WS_CATALOG', '/');

define('DIR_FS_CATALOG', '/home/bytor/public_html/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

Catalog

 

<?php

define('HTTP_SERVER', 'http://www.bytortruck.com');

define('HTTPS_SERVER', 'https://www.bytortruck.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', '.bytortruck.com');

define('HTTPS_COOKIE_DOMAIN', '.bytortruck.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/bytor/public_html/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

[Jack_mcs]

This line

define('ENABLE_SSL_CATALOG', 'true);

should be

define('ENABLE_SSL_CATALOG', true);

 

and this line

define('DIR_FS_DOCUMENT_ROOT', '/home/bytor/public_html/');

should be

define('DIR_FS_DOCUMENT_ROOT', '/home/bytor/public_html');

[danish8388]

Hi Germ,

 

Can you please look at my site. I pm you my site. I also got the nonsecure warning on login page on IE and the style sheet does not seem to load on https pages. I've uploaded your ssl contribution files and all results are green. In my application_top.php, I tried both

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';"

and the same result.

[MrPhil]

Try

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

I think that's yet another permutation.

[danish8388]

Same result. pop up warning says "only secure contents is displayed.... "

 

forgot to mention, on the unsecure.php.php?site=https://mysite.com, I get

unsecure.php Version 1.2

 

Unable to open [mysite"]]!

[MrPhil]

The getenv() call is to determine whether the page you're on was called via https (SSL) or http (non-SSL). It sounds like it's working -- you're on an https page. What kind of modifications have been made to your store? It sounds like a page that should be http is being forced to https.

 

In both your configure.php files, are all the HTTP_* defines http://... and none are https://? (ref @@turbo94gto's list -- HTTP_CATALOG_SERVER being https:// is an error)

[danish8388]

I would post our solution here so if others run into same problem could get answers right away.

In the configure.php, we put HTTP_SERVER = https://mysite.com basically forcing all connections to the site secured.

This definitely took away the IE pop up message. Not sure about long term effect though

[MrPhil]

If there's anything on a page (CSS, JS, images) that's hard coded to use http://, you're going to get browser warnings about insecure content.

 

WHY do you want to put the entire site under SSL? It would be very unusual to need to do this. osC already sets pages that need SSL to use it, and leaves everything else non-SSL. SSL only keeps "man in the middle" snoopers from listening in on page traffic -- it does NOTHING for database security or to keep hackers out of the site.

[danish8388]

I also think it's strange to do so, but it's a solution provided by a paid developer who is now MIA. He couldnt figure out where in the page still has the hardcoded link. He signed off the job with this quick fix.

[MrPhil]

What problem was he trying to solve by making the entire store under SSL? For a paid developer, he sure did a bad job if he couldn't figure out where a hard coded http: link was.

 

Let's go back to Square One. What problem were you trying to solve by messing with SSL?