Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL?


Guest

Recommended Posts

Posted
Now if I could just get my security issues taken care of in my catalog...

 

Laura

 

The only possible two things that I can see on your catalog default page:

<base href="http://www.bowlzilla.com/">

<script language="JavaScript" src='http://www.trustlogo.com/trustlogo/javascript/trustlogo.js'>

 

Seems that you make some mod and they are pulling from a non-https source for the page contents.

Posted

Nope, the default.php page isn't my problem. Don't want the whole catalog to run in secure mode...my problem is when being redirected from a secure page (such as login.php) to another page - whether it's secure or not. I've gotten my login.php secure (nice lovely little gold padlock down in the right-hand corner), and I managed to make my account.php secure as well. The problem comes when I try and login to My Account and the form goes through "process". I then get a nonsecure items on the page error message and the subsequent page (account.php) comes up as non-secure. HOWEVER, if I manually put the 's' into the URL, the same page comes up just fine in secure mode with no non-secure items error messages.

 

I'm totally puzzled by this and very frustrated!!!

 

Laura

Posted

looks like you have done mod to your site. Looks nice by the way.

Unless look at your code, it's hard to know where the bug is.

 

I am having problems just trying to register as a new user.

 

The reg. page has https as the URL but no lock (at the lower right corner).

And I got the following error after entering all the new user account info:

Parse error: parse error in /home/.aleta/laura/bowlzilla/create_account_success.php on line 32

 

The default download has the following as line 32, but yours could be different due to your mod.

<title><?php echo TITLE; ?></title>

 

But, it's https and has a good lock.

Posted

Thanks for the compliment on the site itself. We've had fun modifying it...

 

On to the problem.

 

Yes, the create account would not have the lock yet since I haven't modified the base href for that file yet. But I wasn't aware of the parse error so will look into that right now...

 

[time passes, time passes...]

 

Ok, I looked into it, made the necessary base href change and modified the footer so that it referenced the secure cert plaque correctly, and now the page itself comes up as secure (great), and I get no error upon success of creating the account.

 

Would you be willing to try creating another account and see how it goes?

 

After that, would you be willing to logoff, then go back to "My Account" from the top nav area and login, press "Sign In" and see what happens?

 

My guess is that you'll get a pop-up saying that you're being redirected to a nonsecure page and would you like to continue. If you say Yes, you'll be taken to the account.php page, with no padlock, and no https. BUT, if you manually put the 's' into the URL up top, you'll get to the same page just fine with no error messages.

 

This is what I'm having trouble figuring out. Why am I being told that the page is not secure when, clearly, the page displays just fine in secure mode?...

 

Laura

Posted
Would you be willing to try creating another account and see how it goes?

 

After that, would you be willing to logoff, then go back to "My Account" from the top nav area and login, press "Sign In" and see what happens?

 

My guess is that you'll get a pop-up saying that you're being redirected to a nonsecure page and would you like to continue. If you say Yes, you'll be taken to the account.php page, with no padlock, and no https. BUT, if you manually put the 's' into the URL up top, you'll get to the same page just fine with no error messages.

 

This is what I'm having trouble figuring out. Why am I being told that the page is not secure when, clearly, the page displays just fine in secure mode?...

 

Laura

One more free one, the next will cost you. :wink:

 

Look at your login.php. Search for process. The first if() block of code.

look towards the bottom of the block. Most likely the snapshop related issue. (did you mod that? I mean related to breadcrumbs or navigation?)

 

Can you post top part of your config file from catalog? Remove the DB related information.

Posted

Doesn't look like the snapshot block has been changed - at least there's no markings there to indicate such a thing. But here's what that block looks like, from "process" on down to "snapshot":

 

// redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled (or the session has not started)

 if ($session_started == false) {

   tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE));

 }



 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) {

   $email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']);

   $password = tep_db_prepare_input($HTTP_POST_VARS['password']);



// Check if email exists

   $check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");

   if (!tep_db_num_rows($check_customer_query)) {

     $HTTP_GET_VARS['login'] = 'fail';

   } else {

     $check_customer = tep_db_fetch_array($check_customer_query);

// Check that password is good

     if (!tep_validate_password($password, $check_customer['customers_password'])) {

       $HTTP_GET_VARS['login'] = 'fail';

     } else {

       $check_country_query = tep_db_query("select entry_country_id, entry_zone_id from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . $check_customer['customers_id'] . "' and address_book_id = '1'");

       $check_country = tep_db_fetch_array($check_country_query);



       $customer_id = $check_customer['customers_id'];

       $customer_default_address_id = $check_customer['customers_default_address_id'];

       $customer_first_name = $check_customer['customers_firstname'];

       $customer_country_id = $check_country['entry_country_id'];

       $customer_zone_id = $check_country['entry_zone_id'];

       tep_session_register('customer_id');

       tep_session_register('customer_default_address_id');

       tep_session_register('customer_first_name');

       tep_session_register('customer_country_id');

       tep_session_register('customer_zone_id');



       $date_now = date('Ymd');

       tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . $customer_id . "'");



// restore cart contents

       $cart->restore_contents();



       if (sizeof($navigation->snapshot) > 0) {

         $origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name())), $navigation->snapshot['mode']);

         $navigation->clear_snapshot();

         tep_redirect($origin_href);

       } else {

         tep_redirect(tep_href_link(FILENAME_DEFAULT));

       }

     }

   }

 }

 

And the top of my configure.php...

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

 define('HTTP_SERVER', 'http://www.bowlzilla.com'); // eg, http://localhost - should not be empty for productive servers

 define('HTTPS_SERVER', 'https://bowlzilla.com'); // eg, https://localhost - should not be empty for productive servers

 define('ENABLE_SSL', true); // secure webserver for checkout procedure?

 define('DIR_WS_CATALOG', '/'); // absolute path required

 define('DIR_WS_IMAGES', 'images/');

 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

 define('DIR_WS_INCLUDES', 'includes/');

 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');



 define('DIR_WS_DOWNLOAD_PUBLIC', DIR_WS_CATALOG . 'pub/');

 define('DIR_FS_DOCUMENT_ROOT', '/home/laura/bowlzilla/');

 define('DIR_FS_CATALOG', '/home/laura/bowlzilla/');

 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');



// define our database connection

 define('DB_SERVER', 'catalog.bowlzilla.com'); // eg, localhost - should not be empty for productive servers

 define('DB_SERVER_USERNAME', 'xxxxxx');

 define('DB_SERVER_PASSWORD', 'xxxxxx');

 define('DB_DATABASE', 'bzcatalog');

 define('USE_PCONNECT', 'false'); // use persistent connections?

 define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

?>

 

Don't know if any of that helps, but there you go...

 

Thanks for all the help looking into this, btw. My kids are really starting to get freaked out by seeing Mommy's head spin all the way around! ;-)

 

Laura

Posted
Thanks for all the help looking into this, btw. My kids are really starting to get freaked out by seeing Mommy's head spin all the way around! ;-)

 

Laura

 

LOL. :lol:

 

What happens when you remove the first if()? (the cookie thing)

 

Any changes to temp_href_link() or related function? Cause it's sending me to the default home page. Like starting a new session. And the home page does not have https by default.

Posted

Hmmm, commented out the cookies thing, still get the same security error pop-up.

 

I don't find the temp_href in login.php or default.php. Do you maybe mean tep_href? I don't *think* that's been modified anywhere, but I'm not sure where to look either.

 

grrrr....No ideas pertaining to how the form is processing from the login page, clicking on "Sign In" and how it decides to get from there to the account.php? I suspect it's a problem with the form processing or parsing the code right. Not sure, because I'm not a programmer myself, but that's my suspicion.

 

Laura

Posted
I don't find the temp_href in login.php or default.php. Do you maybe mean tep_href? I don't *think* that's been modified anywhere, but I'm not sure where to look either.

 

search for

function temp_href_link(

 

 

grrrr....No ideas pertaining to how the form is processing from the login page, clicking on "Sign In" and how it decides to get from there to the account.php? I suspect it's a problem with the form processing or parsing the code right. Not sure, because I'm not a programmer myself, but that's my suspicion.

 

Laura

Who did your mod?

Posted

A programmer I'd hired. He's excellent - but on vacation right now so not available for consultation (he deserves the vacation too, btw).

 

Definitely not finding anything in default.php or login.php called

function temp_href_link(

 

Found plenty of instances of

tep_href_link

but none with "function before them in those two files. Should I look in a different file for this? And if I find it, what should I do with it?

 

I'll grab an original copy of these 2 files as well and see if I can figure out what exactly is different about the commands.

 

Laura

Posted
A programmer I'd hired. He's excellent - but on vacation right now so not available for consultation (he deserves the vacation too, btw).

 

Laura

 

I think you better wait for him. He did the mod, he understands the logic. Don't mess it up for him. It will cost you more money.

Posted

While on the SSL issue, I have all of my catalog & admin on a share secured site and works fine. The only problem the emails dont work. When customers sign up & place orders, they dont get an automatic response . It used to work fine before I move the files into the secure area of my server.

 

Any help would be mutch appreciated.

 

cheers :D

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...