Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

2.2 to 2.3 upgrade shared SSL isues


ccharp30

Recommended Posts

I realise there are a million topics on shared SSL issues on here and I have read most of them. They have not solved my problem. I am trying to upgrade a site from 2.2 to 2.3 because of some security holes that have been exploited on 2.2. The shared SSL is working fine on 2.2 (http://www.imageatkatan.com.au/catalog/). On 2.3 it is not working (http://www.imageatkatan.com.au/test/). I am trying on a fresh install of 2.3. Nothing has been changed at all except the configuration file.

 

DESCRIPTION OF THE PROBLEM ON 2.3:

When you try to login or checkout or do anything that requires the secure server it takes you there to login, but does not remember what was in your cart after logging in. If you return to the catalog to add the item(s) back to your cart it forgets you are logged in. It's an endless cycle of not being able to keep anything in your cart or stay logged in!

 

The 2.2 details that work no problem:

 define('PROJECT_VERSION', 'osCommerce 2.2-MS2');

 define('HTTP_SERVER', 'http://www.imageatkatan.com.au'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://s1.web-servers.com.au/~imageatk'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.imageatkatan.com.au');
 define('HTTPS_COOKIE_DOMAIN', '');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');
 define('DIR_WS_HTTP_CATALOG', '/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/catalog/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/imageatk/public_html/catalog/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
 define('DB_SERVER', 'xxx'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', 'xxx');
 define('DB_SERVER_PASSWORD', 'xxx');
 define('DB_DATABASE', 'xxx');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

The 2.3 details that do not work at all:

 define('PROJECT_VERSION', 'osCommerce Online Merchant v2.3');

 define('HTTP_SERVER', 'http://www.imageatkatan.com.au'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://s1.web-servers.com.au/~imageatk'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.imageatkatan.com.au');
 define('HTTPS_COOKIE_DOMAIN', '');
 define('HTTP_COOKIE_PATH', '/test/');
 define('HTTPS_COOKIE_PATH', '/test/');
 define('DIR_WS_HTTP_CATALOG', '/test/');
 define('DIR_WS_HTTPS_CATALOG', '/test/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/imageatk/public_html/test/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 define('DB_SERVER', 'xxx');
 define('DB_SERVER_USERNAME', 'xxx');
 define('DB_SERVER_PASSWORD', 'xxx');
 define('DB_DATABASE', 'xxx');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', '');

 

Things I have tried on 2.3 that have not worked:

1) set STORE_SESSIONS to 'mysql'

2) set HTTPS_COOKIE_DOMAIN to all sorts of things that didn't work, including s1.web-servers.com.au

3) moved the /test/ directory to /catalog/ and used the EXACT same configuration file that worked in 2.2

4) a million different config settings

5) punching walls, cursing, apologising, etc.

 

I have created the following test account on both versions:

email = [email protected]

pw = testpw

 

Can anyone help solve this mystery?

 

Yes, I realise that a private SSL would likely solve the problem. If I can't find a solution I will just have to tell my client that they will have to get one. However since the shared SSL works on 2.2, why the f*%$ won't it work for 2.3???

 

Thanks,

Chris

Link to comment
Share on other sites

Thanks. I have tried what's in that post. My issue is strange in that the exact same shared SSL works fine in 2.2, but not 2.3. As I'm sure you can relate it's very frustrating!!!

 

I am going to have some time at the end of the day to look at this again and I will look through that post in more detail then. In the meantime, hopefully someone comes along that knows whey 2.2 and 2.3 differ and can help me sort it out....

 

Thanks,

Chris

Link to comment
Share on other sites

****** UPDATE **********

 

I had a good look through the post and it did give me one new idea. I had set the Session stuff in the admin to be the same as the 2.2 install that worked. I played around with those details to be more like what was in your post without much luck.

 

Here is what I have that works in 2.2:

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address False

Prevent Spider Sessions True

Recreate Session True

 

I also tried

define('HTTP_COOKIE_DOMAIN', '.imageatkatan.com.au');

define('HTTPS_COOKIE_DOMAIN', '.s1.web-servers.com.au');

 

and

define('STORE_SESSIONS', 'mysql');

 

I don't want to give up...I hate giving up, so I would appreciate some more help, but my question is, if I upgrade the client to a private SSL will that solve the problem for sure? They will be pretty pissed if it doesn't!!!

 

Thanks,

Chris

Link to comment
Share on other sites

The secure cookie domain setting should be

define('HTTPS_COOKIE_DOMAIN', '.s1.web-servers.com.au/~imageatk');

You could also install a blank shop using the online installer. That will crreate a working confiugre file that just requires a few small changes.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

When I try to visit the site my AV says it blocks a javascript iframe trojan horse.

:o

 

After you clean that hack up and try Jacks suggestion, if it doesn't work I have something else for you to try.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

When I try to visit the site my AV says it blocks a javascript iframe trojan horse.

:o

 

After you clean that hack up and try Jacks suggestion, if it doesn't work I have something else for you to try.

 

What page did you get that on? I thought I cleaned it all up.

Link to comment
Share on other sites

In the browser address bar I typed: DOMAIN/catalog

 

So unless there is an index.htm or index.html it would be in index.php

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

In the browser address bar I typed: DOMAIN/catalog

 

So unless there is an index.htm or index.html it would be in index.php

 

That old, hacked OsC 2.2 site was being replaced by the new 2.3. If you go to DOMAIN/catalog/ now you get the new site. The old one has been removed. If you really need access to the old shopping cart I guess I could keep trying to clean it out, but I'd rather not waste that time...I'd rather focus on getting the 2.3 working on the shared SSL.

 

I did try Jack's suggest. No luck with that either...pretty sure I had tried that one before anyways. Feels like I've tried everything...but I will keep trying.

 

Chris

Link to comment
Share on other sites

if it doesn't work I have something else for you to try.

 

Any chance of passing on the info for this so I can give it a shot. Last chance before we go with the SSL cert. And on that note do people ever have problems with the SSL cert or is that pretty much going to solve all SSL related problems?

 

Thanks,

Chris

Link to comment
Share on other sites

I changed my mind.

 

I doodled with some code over the weekend but didn't get anywhere in a positive direction.

 

I did try I just didn't get anywhere, and I really don't have a place with shared SSL that I can experiment with the code.

 

The problem with shared SSL is the session can get lost because the shared SSL domain isn't the same as the site domain.

 

And the session ID is stored in a session cookie.

 

When you go to the shared SSL URL you do not have access to any cookies set by your domain. It's a security limitation of cookies, not of PHP or your hosting environment.

 

Obviously there must be a way around it because some sites have no problems at all with shared SSL.

 

And then you have some like yours where no matter what you try nothing seems to work.

 

Personally I've never heard of anyone having session problems like you are experienceing with a properly installed SSL cert, and proper code.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks for your time on this matter. I have convinced the customer to go with the SSL cert.

 

Chris

 

I changed my mind.

 

I doodled with some code over the weekend but didn't get anywhere in a positive direction.

 

I did try I just didn't get anywhere, and I really don't have a place with shared SSL that I can experiment with the code.

 

The problem with shared SSL is the session can get lost because the shared SSL domain isn't the same as the site domain.

 

And the session ID is stored in a session cookie.

 

When you go to the shared SSL URL you do not have access to any cookies set by your domain. It's a security limitation of cookies, not of PHP or your hosting environment.

 

Obviously there must be a way around it because some sites have no problems at all with shared SSL.

 

And then you have some like yours where no matter what you try nothing seems to work.

 

Personally I've never heard of anyone having session problems like you are experienceing with a properly installed SSL cert, and proper code.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...