Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Attempting to use shared SSL. Inconsistent problems.


chris.m

Recommended Posts

I'm reasonably new to osCommerce and setting up SSL. I have been doing a lot of reading in the other threads about SSL, but I haven't yet come across one that describes the problem I'm having. I would really appreciate any input or any ideas about where I should start looking for the problem.

 

I'm using osCommerce 2.3.1 with the catalogue in the root folder.

I added a credit card module (http://www.oscommerce.com/community/contributions,2954)

 

The host offers shared SSL and when I first changed the configure files everything seemed fine. The pages were displaying properly and the address changes to https when I go to checkout.

 

A section of /includes/configure.php - with stand-in names for domain, etc.

define('HTTP_SERVER', 'http://www.domainname.com');

define('HTTPS_SERVER', 'https://server.name.com/~username');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'www.domainname.com');

define('HTTPS_COOKIE_DOMAIN', 'server.name.com/~username'');

 

A section of /admin/includes/configure.php

define('HTTP_SERVER', 'http://www.domainname.com');

define('HTTP_CATALOG_SERVER', 'http://www.domainname.com');

define('HTTPS_CATALOG_SERVER', 'https://server.name.com/~username');

define('ENABLE_SSL_CATALOG', 'true');

 

But some parts of the checkout process are still breaking some of the time:

-The "buy now" button sometimes takes me to the shopping cart page but it says my cart is empty rather than showing the product that I tried to "buy now".

-After the shipping information is confirmed and the credit card information is entered, the page sometimes bounces back to the login instead of showing the confirmation page.

Both of these things seem to happen about 50% of the time.

 

IE is also giving me the pop-up about some items of the page being insecure. I'm not looking for help with that because I found other threads about it, but I thought I should mention it in case it was relevant to the problem I'm describing here.

 

Has anyone run into this before? Ideas about where I might start looking? Any suggestions about things to try?

Thanks for taking the time to read this.

Link to comment
Share on other sites

Hi,

 

In my opinion (others may disagree) I would get a dedicated SSL certificate and you would also need a static IP address which would cost £50 per year (or less).

 

if you can provide a url I'm sure I other's will look and see if we can help with checkout process.

 

The insecure bit is normally down to images.

Link to comment
Share on other sites

For the SSL cookie domain try:

 

  define('HTTPS_COOKIE_DOMAIN', '.server.name.com');

or

 

  define('HTTPS_COOKIE_DOMAIN', 'server.name.com');

It doesn't usually work with the tilde (~) in the cookie name.

 

Can't help with the "unsecure items" without your URL (by post or pm).

 

You might find the "SSL Implementation Help" link in my signature useful.

 

Sometimes getting osC to work with shared SSL can be a real b*tch...

:blush:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

You might also check with your host to confirm that their shared SSL certificates work with PHP pages. I've seen hosts where shared SSL only works with HTML and CGI-Perl pages. In such a case, you'll have no choice but to spring for a dedicated SSL certificate (usually involving a static IP address).

 

If you're using a third party payment system (e.g., most PayPal services), you don't absolutely need SSL. However, some countries may require it to protect certain personal information (name and address, etc.), and customers will be more confident about ordering from you if they see that SSL is in use for at least part of the sign-on and purchase process. Obviously, if you're handling credit card numbers yourself (merchant account and payment gateway), you'll need SSL (among other things).

Link to comment
Share on other sites

Hi,

 

In my opinion (others may disagree) I would get a dedicated SSL certificate and you would also need a static IP address which would cost £50 per year (or less).

 

if you can provide a url I'm sure I other's will look and see if we can help with checkout process.

 

The insecure bit is normally down to images.

 

Thanks to all of you for the quick replies and the suggestions.

 

I'm helping someone else with his store. It's a small business and I'm trying to save him money by using the shared SSL if possible. He's willing to get dedicated SSL(and static IP) if it's needed, but I wanted to give the shared SSL a solid attempt first.

 

I will provide the URL in another reply. I want to change the order emails to go to my email rather than his if people are going to test it.

Link to comment
Share on other sites

For the SSL cookie domain try:

 

  define('HTTPS_COOKIE_DOMAIN', '.server.name.com');

or

 

  define('HTTPS_COOKIE_DOMAIN', 'server.name.com');

It doesn't usually work with the tilde (~) in the cookie name.

 

Can't help with the "unsecure items" without your URL (by post or pm).

 

You might find the "SSL Implementation Help" link in my signature useful.

 

Sometimes getting osC to work with shared SSL can be a real b*tch...

:blush:

 

I will try both of those. I also hadn't found that thread in my search of the forum, so I will read it, too.

Link to comment
Share on other sites

I will provide the URL in another reply. I want to change the order emails to go to my email rather than his if people are going to test it.

 

Not a bad idea, you could use COD as payment whilst testing for errors.

Link to comment
Share on other sites

Not a bad idea, you could use COD as payment whilst testing for errors.

 

That would also work. I used credit card because most of his customers do. I just made up a bogus number.

 

I switched the emails and I would be happy for help with the testing. The site is www.longcreektrappingsupplies.com. Please use the last name "Test" for any test accounts so I can easily delete them later.

 

Thanks again for the help.

Link to comment
Share on other sites

You might find the "SSL Implementation Help" link in my signature useful.

I'm trying the SSL help contribution. The cfgchk doesn't show any errors. The unsecure file is remove the ~ from the site address so that the address is no longer correct. I'm tinkering with the file to see if I can get it to allow the ~.

Link to comment
Share on other sites

Tinkering with it will get you nowhere (IMHO).

 

It has to do with browsers not the osC code.

 

Currently the store doesn't recognize that SSL is active.

 

In /includes/application_top.php find this line:

 

  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Change that code to this:

 

//  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
 $request_type = ($HTTP_HOST == 'magenta.srv2.com') ? 'SSL' : 'NONSSL';

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Chris

 

looking at your site, the main problem is SSL, I know you said about keeping cost down but without SSL you will have no sales. If the person you are helping with this website is not willing to pay for SSL then all your effort will go to waste.

 

Another option is to remove SSL from your site and use PayPal, at least the customer will not get warnings about unsecured site, but it would be better being under SSL when they enter there address details.

Link to comment
Share on other sites

Tinkering with it will get you nowhere (IMHO).

 

It has to do with browsers not the osC code.

 

Currently the store doesn't recognize that SSL is active.

 

In /includes/application_top.php find this line:

 

  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Change that code to this:

 

//  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
 $request_type = ($HTTP_HOST == 'magenta.srv2.com') ? 'SSL' : 'NONSSL';

 

I don't want to disagree with you because you're being so nice in helping me, but I did get it to recognize that character. And it said the insecure piece was the mapquest box, which I was guessing was on the list (I just thought there might be more).

 

I'm also going to try the second part right now.

Link to comment
Share on other sites

Chris

 

looking at your site, the main problem is SSL, I know you said about keeping cost down but without SSL you will have no sales. If the person you are helping with this website is not willing to pay for SSL then all your effort will go to waste.

 

He's willing to pay for the dedicated SSL. If I can't make the shared SSL work (and do it today) then that's what I will suggest.

Link to comment
Share on other sites

Chris

 

this is the problem you have:

 

I goto **http://www.longcreektrappingsupplies.com/**

 

Click my account

 

end up here

 

**https://magenta.srv2.com/~longcree/login.php?osCsid=d40abfb23124c54b43b23b6b7624fd27**

 

all images are unsecured, url above means nothing to me, sale lost

 

sorry to be blunt.

 

edit:

 

This is what you want to happen

 

I goto **http://www.longcreektrappingsupplies.com/**

 

Click my account

 

end up here

 

**https://www.longcreektrappingsupplies.com/login.php**

 

Padlock on browser

 

now entering details

Link to comment
Share on other sites

Chris

 

this is the problem you have:

 

I goto **http://www.longcreektrappingsupplies.com/**

 

Click my account

 

end up here

 

**https://magenta.srv2.com/~longcree/login.php?osCsid=d40abfb23124c54b43b23b6b7624fd27**

 

all images are unsecured, url above means nothing to me, sale lost

 

That's a reasonable point. I was thinking of it mostly from the technical point of view that I wanted the information to be encrypted. His existing customers were placing orders without SSL, so I didn't think they would care all that much about the address change, but there is a potential group of people who didn't buy from him because of that and would now be interested again.

Link to comment
Share on other sites

He's willing to pay for the dedicated SSL. If I can't make the shared SSL work (and do it today) then that's what I will suggest.

The main reasons a shared ssl won't work on a site is if the server isn't setup to handle it or the configure file is not setup correctly. Even though a host offers a shared cert, it doesn't mean it will work. So the first thing you should do is go to https://server.name.com/~username. That doesn't have anything to do with the configure file so if it fails, it is not because of your shop. You may get a non-secure warning but that is OK. If it doesn't work, then you need to ask your host why the ssl won't work. If it does work, then you should check this thread on how to setup the configure file to make sure yours is setup correctly. It looks like it is but you didn't show all of the settings so one can't be sure.

 

As far a private ssl is concerned, you can purchase one for $15/year and with the IP costs, that my be around $30/year. Not a great deal but for a shop trying to cut corners, it can make a diference. But you definately need an ssl cert regardless of what others have told you. Customers know to look for secure pages and they get to the login page before they get to the paypal page so some will see their data is not protected and leave. Losing one customer due to this should not be acceptable to the shop owner but perhaps he thinks differently.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I am taking the advice and suggesting private SSL. While I'm waiting to hear back from him I'm working on the non-seucre problem.

 

I've narrowed it down to the mapquest box module. I tried google maps instead because there was a function https address, but the images used in the map were still non-secure and it didn't make a difference.

 

 

I want to change this:

 

$data = '<div class="ui-widget infoBoxContainer">' .

' <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_LOCATION_BOX_TITLE . '</div>' .

' <div class="ui-widget-content infoBoxContents">' .

' <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" width="215" height="215"></iframe>' .

' </div>' .

'</div>';

 

To this:

 

$data = '<?php if ( $request_type == "NONSSL" ) { ?>' .

'<div class="ui-widget infoBoxContainer">' .

' <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_LOCATION_BOX_TITLE . '</div>' .

' <div class="ui-widget-content infoBoxContents">' .

' <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" width="215" height="215"></iframe>' .

' </div>' .

'</div>' .

'<?php } ?>';

 

But on the page I get this:

 

<!--?php if ( $request_type == "NONSSL" ) { ?--><div class="ui-widget infoBoxContainer"> <div class="ui-widget-header infoBoxHeading">Location</div> <div class="ui-widget-content infoBoxContents"> <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" height="215" width="215"></iframe> </div></div><!--?php } ?-->

 

I guess this is probably a security feature. So is there another way to make it so that box module doesn't display on the secure pages?

Thank you again.

Link to comment
Share on other sites

$data = '<?php if ( $request_type == "NONSSL" ) { ?>' .

 

 

That code will not work...

 

having the map on your index page looks bad, why not add a page called 'About Us' add map to that page, ssl problem sorted.

Link to comment
Share on other sites

Looking at what Jack_mcs said about the cost of SSL being only $30/year, I think you should get a dedicated SSL and then spend the next 7 days on redesigning the site so that it does not look like 'out of the box OSC'.

 

 

Use 'Feedback on My Store' section for comments on how to make your site look better

Link to comment
Share on other sites

Looking at what Jack_mcs said about the cost of SSL being only $30/year, I think you should get a dedicated SSL and then spend the next 7 days on redesigning the site so that it does not look like 'out of the box OSC'.

 

 

Use 'Feedback on My Store' section for comments on how to make your site look better

 

There may be a redesign in a little while, but the look of the site is not a priority until the site is functioning again. Also, the look of the store is up to the store owner. I'm helping him with this, but he's the one who gets to make those decisions.

Link to comment
Share on other sites

$data = '<?php if ( $request_type == "NONSSL" ) { ?>' .

 

 

That code will not work...

 

having the map on your index page looks bad, why not add a page called 'About Us' add map to that page, ssl problem sorted.

 

Sounds good to me, but the store owner may or may not accept that solution. I've suggested it.

Link to comment
Share on other sites

I want to change this:

 

$data = '<div class="ui-widget infoBoxContainer">' .

' <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_LOCATION_BOX_TITLE . '</div>' .

' <div class="ui-widget-content infoBoxContents">' .

' <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" width="215" height="215"></iframe>' .

' </div>' .

'</div>';

 

To this:

 

$data = '<?php if ( $request_type == "NONSSL" ) { ?>' .

'<div class="ui-widget infoBoxContainer">' .

' <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_LOCATION_BOX_TITLE . '</div>' .

' <div class="ui-widget-content infoBoxContents">' .

' <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" width="215" height="215"></iframe>' .

' </div>' .

'</div>' .

'<?php } ?>';

Uh, no way. You're already in PHP at this point -- what is the point of having <?php...?> embedded within it? I think you want

if ($request_type == "NONSSL") {
     $data = '<div class="ui-widget infoBoxContainer">' .
	' <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_LOCATION_BOX_TITLE . '</div>' .
	' <div class="ui-widget-content infoBoxContents">' .
	' <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" width="215" height="215"></iframe>' .
	' </div>' .
	'</div>';
} else {
     $data = '';
}

That will at least have something in $data when it's used later.

 

You should also be aware that some servers (IIS in particular) return '1' instead of 'on' for the getenv('HTTPS') call. You may need to test for either value.

Link to comment
Share on other sites

Uh, no way. You're already in PHP at this point -- what is the point of having <?php...?> embedded within it? I think you want

if ($request_type == "NONSSL") {
     $data = '<div class="ui-widget infoBoxContainer">' .
	' <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_LOCATION_BOX_TITLE . '</div>' .
	' <div class="ui-widget-content infoBoxContents">' .
	' <iframe src="http://mapq.st/embed?q=121+Portobello+Dr+Maugerville+NB" width="215" height="215"></iframe>' .
	' </div>' .
	'</div>';
} else {
     $data = '';
}

That will at least have something in $data when it's used later.

 

You should also be aware that some servers (IIS in particular) return '1' instead of 'on' for the getenv('HTTPS') call. You may need to test for either value.

 

I tried the variation on the map module first. The box module doesn't show in either the secure of non secure pages with ($request_type == "NONSSL") and shows in both with ($request_type != "SSL"). Can bm_location.php check the $request_type when (as far as I know) it only appears in application_top.php? That's more of a curiosity question for me. I'm really hoping I'll be able to successfully pitch the idea of moving the map to its own page (like JLewis suggested).

 

I'm adding the last part to the list to test.

Link to comment
Share on other sites

You'll have to look to see where $request_type is defined, and that it is defined on all pages, and all functions on that page that use it mention it in their "globals" list. Check that it always has the expected value "SSL" or "NONSSL".

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...