Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL detection problem, not secure content - fixed v2.3.1


Karl53

Recommended Posts

Are you suffering from browsers identifying your shopping cart pages as having unsecure content?

 

When you run the <a href="http://addons.oscommerce.com/info/6693">SSL Help</a> contribution (thank you Jim)

 

myenv.php

 

do you get this error message?

 

The standard osC SSL detection code in /includes/application_top.php may NOT detect your SSL status correctly!!!

 

I did. This is how I fixed it.

 

First my environment is IIS v6.x running on Windows Server 2003

 

 

In this file: \{catalog}\includes\application_top.php

 

at about line 49, find this line

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

comment it out and replace it with this::

 

$request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';

 

That's it.

 

 

// NOTES

 

My guess is, this fix should work in any envrionment than when you execute the PHP function:

 

phpinfo()

 

the results in the ISAPI section indicate:

 

HTTPS "on"

 

 

If you are not familiar with phpinfo() you can run it like this.

 

Copy and paste this code to a new, blank web page

 

<?php

phpinfo();

?>

 

Save the page as a PHP page. Suggest GetPHPInfo.php.

 

Put it on your site and then load the page in any browser look in the resulting page for the above mentioned ISAPI section and find the value of HTTPS.

Link to comment
Share on other sites

Copy and paste this code to a new, blank web page

 

<?php

phpinfo();

?>

 

Save the page as a PHP page. Suggest GetPHPInfo.php.

 

Put it on your site and then load the page in any browser look in the resulting page for the above mentioned ISAPI section and find the value of HTTPS.

 

Alternatively, enter your shops admin area and go: tools > server info

Link to comment
Share on other sites

Don't save your phpinfo script under such an obvious name. Hackers troll through sites looking for it, and may be able to use the information provided to do serious damage to your site. It's best to keep phpinfo private and hidden.

 

Providing information on SSL doesn't seem to be standardized among server authors. getenv('HTTPS') may return 'on' or '1'. I've heard of servers where the variable name is HTTP_HTTPS (getenv('HTTP_HTTPS') is the proper invocation). $_SERVER['HTTPS'] is not guaranteed to exist on any particular server. The code should probably check a number of different possibilities, until one is found that exists, and the return value also examined. For a given server at a given level, you can experiment and find the proper information (and hard code it in, until the host upgrades), but please don't tell the whole world that this is the one and only way to do it.

Link to comment
Share on other sites

Phil,

 

Thanks for the pointer on PHP info.

 

I had not meant to suggest that it is a universal "fix" or that a "fix" is even needed in most situations. I guess I could have worded my post better. But that is also why I specifically mentioned the web server used as well as the OS it was running on. I realize it's not a one size fits all.

 

Karl

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...