Intermittent problem with shopping cart following SSL installation

[webdev-cms]

Hi there,

 

I am experiencing a bit of an ongoing problem with my shopping cart since having an SSL certificate installed.

 

A little bit of history first to say that my OSCommerce shop is setup to be accessed only when someone clicks on a product at my main website. Only the OSCommerce shop portion of my website is currently encrypted. The initial install of the SSL certificate, produced some problems for OSCommerce which my ISP were able to fix for the most part. Changes were made to both configure.php files in shop/catalog/includes and shop/catalog/admin/includes folders to enable OSCommerce for SSL, using the instructions from the OSCommerce manual.

 

Currently however, there still remains one outstanding problem and that is, when I test my shopping cart process to ensure that it is working properly each day, I sometimes encounter the following intermittent problem after selecting a product and once in the shopping cart :

 

When I click 'checkout' when in shopping_cart.php to continue the purchase process, I should then be taken to the 'Delivery Information' page which displays my name, address and how much shipping will be charged. Instead, 'sometimes' I get put back into shopping cart at the page titled 'What's in my Cart', with a message below this saying that my 'cart is empty'?

 

I am not experienced with PHP but have tried to look through the code to see if there is something missing or wrong. I have asked my ISP to look into this to see if there is still something wrong with respect to the SSL certificate installation that could be effecting this, but their position is that they do not know enough about OSCommerce to do much.

 

I have checked the knowledge base here at this forum and haven't seen anything that matches this problem, so I am hoping that someone might recognize what is going on here and could offer a solution or at least some possibilities as to what is happening.

 

Thanks for reading!

 

John D

[Guest]

John,

 

 

The issue is how you are sending the products into the checkout process. You said " A little bit of history first to say that my OSCommerce shop is setup to be accessed only when someone clicks on a product at my main website." This is the issue, you can't send products to the cart, all products MUST be chosen and added to osCommerce while IN osCommerce. You are losing your OSCID by trying to add a product to the cart from outside the cart.

 

osCommerce is a FULLY functional ecommerce solution that should stand alone. You can link to osCommerce from your static site, but you can not display products on your static site and place them into osCommerce from that static site. Doing so will fail to receive an OSCID which is vital for the completion of the checkout process.

 

 

 

Chris

[webdev-cms]

Thanks Chris for your quick reply.

 

I should explain that OSCommerce resides in a sub-directory of my main website and was setup in such a way that when someone clicks on a buy button at my static site, they are then directed to the shopping cart to complete the checkout process in OSCommerce. My static site does not place products in OSCommerce, all of my products were pre-loaded into the MySQL database which OSCommerce uses to process a sale.

 

OSCommerce WAS functioning well before the SSL certificate was installed, as I have had a few sales since setting up the shop. My ISP changed platforms a couple of months ago and after this, I had the certificate installed. It was after both of these events that my shopping cart started to malfunction. It still functions to process sales, but intermittantly, the aforementioned problem happens where the purchase is somehow lost?

 

Do you still feel that this is an OSCID issue, if so, I don't understand how the checkout process is working fine one moment and then not the next? Could you please explain a bit further. Thankyou.

 

John D.

 

 

 

John,

 

 

The issue is how you are sending the products into the checkout process. You said " A little bit of history first to say that my OSCommerce shop is setup to be accessed only when someone clicks on a product at my main website." This is the issue, you can't send products to the cart, all products MUST be chosen and added to osCommerce while IN osCommerce. You are losing your OSCID by trying to add a product to the cart from outside the cart.

 

osCommerce is a FULLY functional ecommerce solution that should stand alone. You can link to osCommerce from your static site, but you can not display products on your static site and place them into osCommerce from that static site. Doing so will fail to receive an OSCID which is vital for the completion of the checkout process.

 

 

 

Chris

[Guest]

John,

 

 

Perhaps you could post your link or PM it so I can test the sites functionality?

 

 

 

 

Chris

[webdev-cms]

Here is the URL :

 

www.classicalmusicsentinel.com

 

Thanks,

John

 

John,

 

 

Perhaps you could post your link or PM it so I can test the sites functionality?

 

 

 

 

Chris

[webdev-cms]

So Chris,

 

Did you have a chance to look at my site. I noticed what looks like a test purchase in my OSCommerce, was this from you? If so, it would appear that everything went well with this particular process but the issue still remains. Any ideas?

 

If anyone else has any thoughts on this particular issue, please feel free to jump in.

 

Thanks,

John D.

[webdev-cms]

Here is the URL :

 

*** URL removed ***

 

Thanks,

John

[♥kymation]

I ran a quick check. I was able to add items to the cart, but did not proceed with an order, as I felt that sufficient. So here's my theory:

 

1. Customer's browser accepts cookies: The first time a customer hits an osCommerce page, the cookie is set. All subsequent hits to osC pages retrieve the cookie. Since session is maintained by the cookie, everything works as expected.

 

2. Customer's browser does not accept cookies, or the cookie is not saved. The first time the customer tries to add something to the cart, the cart may or may not work. I haven't had time to test this to be certain, although I think it will work. However, if the customer then goes back to one of your HTML pages outside the cart, the session is lost, and the cart will be empty if the customer goes back to it. This is because there is no way of carrying session through your HTML pages.

 

You can test this by disabling cookies in your browser and then trying to purchase multiple items.

 

Regards

Jim

[webdev-cms]

Hi Jim,

 

Thanks for taking a look - I think you might be onto something!

 

The cart seems to be behaving well in the past 24 hours which is good but does not provide anyone taking a look the opportunity to see the issue that happens intermittantly.

 

I did a little reading since posting, in particular on 'forcing cookie usage'. A couple of things make sense to me from what I've read : One, that session ids can be lost for different reasons (bad code, security breaches, changes in site), and two, to retain the oscid in URLs is not a good idea from a security point of view. If I understand correctly, forcing cookies will help to ensure that sessions are not lost through the process. I did not have this set previously but have now enabled force cookie usage, and will monitor this situation to see if this corrects the intermittant problem.

 

Btw, your last remark prompts me to ask, if session ids are being used is there a need for cookies? I will try your suggestion and turn off cookies to see if the cart can complete the sale. Thanks again!

 

 

 

I ran a quick check. I was able to add items to the cart, but did not proceed with an order, as I felt that sufficient. So here's my theory:

 

1. Customer's browser accepts cookies: The first time a customer hits an osCommerce page, the cookie is set. All subsequent hits to osC pages retrieve the cookie. Since session is maintained by the cookie, everything works as expected.

 

2. Customer's browser does not accept cookies, or the cookie is not saved. The first time the customer tries to add something to the cart, the cart may or may not work. I haven't had time to test this to be certain, although I think it will work. However, if the customer then goes back to one of your HTML pages outside the cart, the session is lost, and the cart will be empty if the customer goes back to it. This is because there is no way of carrying session through your HTML pages.

 

You can test this by disabling cookies in your browser and then trying to purchase multiple items.

 

Regards

Jim

[♥kymation]

There are two ways to maintain session:

1. Set a cookie on the customer's browser. This is generally the best way, but some customers have settings that prevent setting cookies.

2. Add a SID (Session IDentifier) to the URL.

 

osCommerce uses a SID (named oscsid) until a cookie is successfully retrieved. Customers who don't return the cookie when requested get a SID added to all links in osC. This SID will be lost when the customer clicks on a link outside osC. Of course it can also be lost due to security breaches. You should take care that hackers don't break into your store.

 

Setting Force Cookie Use to true will mean that customers who do not accept cookies for whatever reason will see the cookie_usage.php message when they try to add an item to the cart. I have found that some of these people are computer illiterate and will not be able to change their settings, while the rest are unwilling to change their settings. That means that you will lose these customers. You are the best person to judge how many of your customers fall into this category and whether you are willing to lose these customers.

 

As you mentioned in your first post, the cart seems to be lost sometimes when it should not be. I have observed cases where the cookie failed to save for some reason not connected to the browser settings. This seems to happen intermittently. This will also result in lost customers.

 

Regards

Jim

[webdev-cms]

Thanks Jim.

 

I guess it comes down to the lesser of two evils. Force cookies and possibly lose some customers or reinstate oscid sessions and accept that some may be lost due to cookies not being retained. Hopefully there is a third option that will become obvious through a little more digging on this issue. Thanks again for your time and wisdom.

 

Cheers,

John D.

[♥kymation]

I can think of two ways to fix the SID problem.

 

1. Move all of your product pages into osCommerce.

 

2. Add the osC application_top.php to all of your HTML pages and tell your server to process them as PHP. This is a bit tricky and requires an Apache server.

 

Regards

Jim

[webdev-cms]

Thanks Jim.

 

I do have all of my product IDs, covers, prices, etc., in OSCommerce, but the purchase process starts with a customer clicking on a buy button from my static site. I know that this is not the conventional method for running OsC but as my site is an information site, first and foremost, and a way to sell CDs, second, I thought that having the shop separate would be more practical and logical.

 

I am on an Apache server and so will look into your second suggestion Jim.

 

Incidently, after my previous post I tested the cart again and it was not working - go figure? So am I assuming that the force cookie usage is not making a difference.

 

Btw, in order to see this issue in action, you would need to create an account and go past the login page to see the empty cart result instead of being taken to 'Delivery Information'.

 

Back to the drawing board! :)

[blackwater]

There may be one or more configuration issues with your site. If customer enters your site without www. on the domain name, they will get a message that cookies are not enabled in their browser when "Buy" is pressed; even though cookies are enabled.

 

Check the cookie and SSL domain in configuration.

 

Not sure what versionj you are using, eg:

 

HTTP_SERVER, 'http://www.yourdomain.com'

HTTPS_SERVER, 'https://www.yourdomain.com'

 

HTTP_COOKIE_DOMAIN, 'www.yourdomain.com'

HTTPS_COOKIE_DOMAIN, 'www.yourdomain.com'

 

HTTP_COOKIE_PATH, '/'

HTTPS_COOKIE_PATH, '/'

 

If HTTP/HTTPS_SERVER and HTTP/HTTPS_COOKIE_DOMAIN definitions are set with prefix of www., then customer must be coming from "www". You can use .htaccess or PHP to force visitors to www. upon entering site or let your host do it for you.

[webdev-cms]

Thanks Paul.

 

Those settings look right. My domain is setup to accept both www/non-www

 

The HTTP_COOKIE_PATH, '/' HTTPS_COOKIE_PATH, '/' is set to shop/catalog as the shop sits in a sub-directory.

 

I initially thought I'd have to have a 301 redirect in place after having the SSL certificate installed but then realized this wouldn't be necessary as the shop is not in the root of the directory. Strange thing when I did have a 301 in place as I thought the whole site needed to be https, the shopping cart would not work so I removed the 301 redirect from the .htaccess in my main site.

 

Btw, does it make a difference to OsC if your directory is public_html as opposed to www? I have been wondering about this.

[blackwater]

John

 

"public_html" is the common name for the web server's root public folder on linux. On some servers you will see a www created by the hosting provider, but you should not do anything with it, it may just be a symbolic link.

 

If customer enters your site without www. on the domain name, they will get a message that cookies are not enabled in their browser when "Buy" is pressed; even though cookies are enabled.

 

Start with this fix.

 

try:

HTTP_COOKIE_PATH, '/'

HTTPS_COOKIE_PATH, '/'

[webdev-cms]

Thanks Paul.

 

Can you explain please, the difference between having shop/catalog and '/' ?

 

John D.

[blackwater]

Thanks Paul.

 

Can you explain please, the difference between having shop/catalog and '/' ?

 

John D.

 

As expected, they are pointing to two different locations. It also depends on how the server is configured considering any aliases used for your site. You should use whatever is put there if you installed oscommerce the normal way from /shop/catalog/. I was curious about why site was saying cookies not enabled in browser when it was.

 

Based on my first post, you said the settings look right; so,

 

HTTP_COOKIE_PATH,

HTTPS_COOKIE_PATH,

 

should be pointing to

 

HTTP_COOKIE_DOMAIN, 'www.yourdomain.com'

HTTPS_COOKIE_DOMAIN, 'www.yourdomain.com'

 

which is the root where "/" is recognised for.

 

This may or may not be the issue with the cookies, but the other problem you described could be related to the address information when you click confirm. If Osc does not find a valid city, state and zip match in verification for customer, then you will experience that issue of empty cart and logoff. This is the case with version 2.3.1. that I know of.

 

If you still have issues, post your configs (masking confidential info) and post also any aliases you are using.

[BryceJr]

Bring out the popcorn and start with this >>What is the osCsid & why you must not loose it. Why your customers can see each others details or loose their cart

[webdev-cms]

Thanks Paul.

 

The version of OsC that I am running is 2.2.

 

Regarding my settings in configure.php, the settings you posted are consistent with what I have with the exception of HTTP_COOKIE_PATH,

HTTPS_COOKIE_PATH, which is set to catalog/shop rather than my domain.

 

I have never gotten the message you refer to regarding cookies not enabled until I set 'Force Cookie Usage' to true, yesterday. Then I started getting the cookie_usage.php page.

 

Something I have been wondering about is what the consensus is with respect to whether it is necessary to change both catalog/includes/configure.php AND catalog/admin/includes/configure.php, when enabling SSL. The manual does not mention changing the version within the admin folder but I have read here at this forum that both should be set to true. I had changed both based on the advice and instructions I have read here and at other sites.

 

I will try and post my configure settings tomorrow when I have a chance.

 

@Bryce : Thanks for the link. I have read quite a bit of that thread and one that was posted by Robert Fisher on the same subject. Good stuff in both that I found made a lot of sense.

 

Cheers,

John D.

 

As expected, they are pointing to two different locations. It also depends on how the server is configured considering any aliases used for your site. You should use whatever is put there if you installed oscommerce the normal way from /shop/catalog/. I was curious about why site was saying cookies not enabled in browser when it was.

 

Based on my first post, you said the settings look right; so,

 

HTTP_COOKIE_PATH,

HTTPS_COOKIE_PATH,

 

should be pointing to

 

HTTP_COOKIE_DOMAIN, 'www.yourdomain.com'

HTTPS_COOKIE_DOMAIN, 'www.yourdomain.com'

 

which is the root where "/" is recognised for.

 

This may or may not be the issue with the cookies, but the other problem you described could be related to the address information when you click confirm. If Osc does not find a valid city, state and zip match in verification for customer, then you will experience that issue of empty cart and logoff. This is the case with version 2.3.1. that I know of.

 

If you still have issues, post your configs (masking confidential info) and post also any aliases you are using.

[webdev-cms]

Good day,

 

OK, finally found a moment to post my config settings :

 

First up : catalog/includes/configure.php

 

<?php

define('HTTP_SERVER', 'http://mydomain.com');

define('HTTPS_SERVER', 'https://mydomain.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'mydomain.com');

define('HTTPS_COOKIE_DOMAIN', 'mydomain.com');

define('HTTP_COOKIE_PATH', '/shop/catalog/');

define('HTTPS_COOKIE_PATH', '/shop/catalog/');

define('DIR_WS_HTTP_CATALOG', '/shop/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/shop/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

Next up is catalog/admin/includes/configure.php :

 

<?php

define('HTTP_SERVER', 'http://www.mydomain.com');

define('HTTPS_SERVER', 'https://www.mydomain.com');

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.mydomain.com');

define('ENABLE_SSL_CATALOG', 'true');

define('DIR_FS_DOCUMENT_ROOT', '/home/users/web/c444/nf.hostdomain/public_html/mydomain.com/shop/catalog/');

define('DIR_WS_ADMIN', '/shop/catalog/admin/');

define('DIR_FS_ADMIN', '/home/users/web/c444/nf.hostdomain/public_html/mydomain.com/shop/catalog/admin/');

define('DIR_WS_CATALOG', '/shop/catalog/');

define('DIR_FS_CATALOG', '/home/users/web/c444/nf.hostdomain/public_html/mydomain.com/shop/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

I have blocked out domain and hostdomain creds for security purposes and left out user/password information. Everything else is as it is indicated in respective files.

 

One thing I was wondering about is, I have looked at other config files that have been posted here at this forum and noticed that many do not list both HTTP_SERVER/HTTP_SERVER in both configure files just HTTP_SERVER, whereas my configure file indicates both HTTP and HTTPS. Is this because I have an SSL certificate installed?

 

The issue with an empty cart result after logging in is still happening. Jim/Paul and anyone else who would like to take a look, I'd appreciate your thoughts on whether everything is right with the settings above.

 

Many thanks.

 

John D.

[♥kymation]

You appear to be missing part of the catalog/includes/configure.php that looks like this:

 

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/users/web/c444/nf.hostdomain/public_html/mydomain.com/shop/catalog/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

If yours is different, please post the difference.

 

The define for HTTPS_SERVER is not used in a stock osCommerce install. Perhaps you have added something that uses it. In any case, it appears to be correctly defined, and it will simply be ignored if it's not needed.

 

I don't see anything else that's different from a stock install.

 

Regards

Jim

[webdev-cms]

Thanks for taking a look and addressing my questions Jim.

 

The missing part is consistent with what you have posted so I guess everything is in order with my settings which is good. One less thing to be concerned about.

 

The issue of the empty cart after login persists intermittantly. I am fairly sure that this problem was created specificly after the SSL certificate was installed which coincided with a switch to a new hosting platform that my ISP effected this past June. In your opinion, is there anything that you know of from the point of view of SSL that could cause issues if something is missed or changed during an SSL installation? I had sales before the installation with no such issue.

 

You appear to be missing part of the catalog/includes/configure.php that looks like this:

 

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/users/web/c444/nf.hostdomain/public_html/mydomain.com/shop/catalog/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

If yours is different, please post the difference.

 

The define for HTTPS_SERVER is not used in a stock osCommerce install. Perhaps you have added something that uses it. In any case, it appears to be correctly defined, and it will simply be ignored if it's not needed.

 

I don't see anything else that's different from a stock install.

 

Regards

Jim

[♥kymation]

It's possible. I've never installed an SSL cert myself and I don't know everything there is to know about them.

 

One thing that did occur to me: an SSL cert may be issued only for the main domain and not for sub-domains. This means that example.com would work, but www.example.com would not. The opposite is also possible. Try to find out what domain your cert is valid for.

 

I see that your catalog-side configure file is the bare domain while the admin config uses the www. That is also a bit odd.

 

If you haven't already done this, try adding the following to your root .htaccess file:

 

RewriteCond %{HTTP_HOST} ^www\.example\.com
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

That may fix the problem, break everything, or do nothing at all. All of those results tell us something.

 

Regards

Jim

[blackwater]

It's possible. I've never installed an SSL cert myself and I don't know everything there is to know about them.

 

One thing that did occur to me: an SSL cert may be issued only for the main domain and not for sub-domains. This means that example.com would work, but www.example.com would not. The opposite is also possible. Try to find out what domain your cert is valid for.

 

I see that your catalog-side configure file is the bare domain while the admin config uses the www. That is also a bit odd.

 

If you haven't already done this, try adding the following to your root .htaccess file:

 

RewriteCond %{HTTP_HOST} ^www\.example\.com
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

That may fix the problem, break everything, or do nothing at all. All of those results tell us something.

 

Regards

Jim

 

 

I too would suggest putting "www." on these:

 

define('HTTP_SERVER', 'http://mydomain.com');
define('HTTPS_SERVER', 'https://mydomain.com');
define('ENABLE_SSL', true);
define('HTTP_COOKIE_DOMAIN', 'mydomain.com');
define('HTTPS_COOKIE_DOMAIN', 'mydomain.com');

 

I had a look at the cookie created in the browser cache and it begins with www. Forcing customers to www. with .htacces as Jim suggested is sometimes necessary. It's creating the cookie, but it appears browser sometimes fail to find it when requested.