Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

hostgator shared ssl question....


GoTTi

Recommended Posts

hostgator offers a free SSL option that we have where we can use the shared SSL cert...the only issue with it is your entire site address has to change....

 

it has to look like https://SERVERsecure.hostgator.com/~ACCOUNTNAME/ so that just makes everything look wierd....

 

now, if i wanted a payment gateway installed with say authorize.net where i can process the payments right off the site, is it possible to just turn that checkout page into the shared ssl and make it https:// only on the checkout and then come back to the http after its all processed and done?

Link to comment
Share on other sites

in my view, shared ssl offered by host is useless and they assume you know little about ssl so they trick customers into thinking its an extra benefit. anyone who is serious about running an online shop should have their own ssl, one that issued to their domain, it doesnt cost much nowadays. if you cant afford or not prepare to get one, then its better not to use any ssl at all.

if you insist using shared ssl, osc's own coding takes care itself where to use ssl (shared or otherwise) where not to. the same can be said to dedicated ssl.

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

GoTTi - That's how shared ssl's have to appear. SSL's can only be for one domain name so that domain has to be in the url. The account name at the end is how the server knows the ssl if for your site and not someone elses. That url should only appear on your secure pages, create account, account, login and the checkout pages. You shouldn't change that operation. All of those pages should be secure.

 

Ken - There's no difference between a shared and private ssl certificate other than the domain name it is issued for. The exception is if one wanted to pay for a higher priced cert, maybe, though that is a waste of money. So there's no tricking going on. Anyone who uses the shared ssl is getting an actual ssl for free. Many of our hosting members use ours and have for years without any problems. To say to not use one if it can't be a private one is incorrect. Plus, in my opinion, the majority of web surfers have no idea if a stie is using a shared ssl or a private one. They just look for the lock and maybe https. Not having an ssl would mean those don't appear and it will couse a loss of sales.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

well, that may be true in the states. here in the UK, onlineshoppers are constantly advised either on TV or government supported websites educating about online security that they should check the padlock and click on the padlock to examine the ssl certificate. and the difference could be fatal that a browser eg IE if setup by default, i suspect, could give out an alert, when switching to shared ssl urls, because of the change of domains, although i havent got a shared ssl to test as yet. in any case, a shared ssl url doesnt look great and could be very ugly depending on your luck with regard to what the server/hpst happens to be called.

 

ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

We have hosting members that are in the UK and that use our shared ssl so I don't see that that makes a difference. But the fact that people are told to look for the lock is why an ssl is required (news shows in the States do the same thing). Shared ssl's do show the lock. They function exactly the same as a private ssl. If an alert is given, then there is something wrong with the shops setup. Some shop owners don't like the url a shared cert causes, as evidenced by the op, but, as mentioned, that is probably more important to the shop owner than the average customer. If a shop owner doesn't want the url to be formatted that way, then the only choice they have is to purchase a private cert. But some hosts won't allow just any cert and some charge up to $5/month for the required private IP so the cost for the year could easily be $100 and that is not something many startup shops can afford. The shared ssl is a perfect solution in those cases and is a much, much better choice than not having one at all.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

with hostgator and the shared ssl the only issused for me are that the doman name looks funky, and the customer actually will get a warning and continue to site page when the ssl is site is accessed....and i know from my own experience that warning is ugly and makes me nervous when browsing a site so i just close the site and go somewhere else. and if i do that, then that means others will. most people will not understand what a shared ssl is.

 

i do appreciate hostgator offering that to us as customers. i never knew about until the past few days.

 

because im on the baby croc style account, and if i wanted the ssl cert myself, they would do it for $50 a year, and $2 more a month tio have a dedicated IP. because of the fact that there is that warning page and the weird domain name, i just might go ahead and get that done...

 

now having a site with a ssl cert is the same as having it without one right? i just change 2 lines of code in the config file and i shouldnt have any issues right?

Link to comment
Share on other sites

FYI, the true cost of an SSL cert is $10 (which is what i charge anyway - i dont make money out of hosting or SSL - just charge what it actually cost me). if they dont allow you to use a third party SSL cert, then i suspect they want to make quite a bit of money out of it. $2 for an IP is quite reasonable though (again the true cost is $1 if purchased by batch like a host would).

if you have your own SSL cert, then yes. the only difference RE urls is an SSL protected page will have https:// as compared with http://

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

i activated the ssl on the cart again to see it in action and i see a few issues already...with ssl activated...using IE9....i login to store, add some items to cart and its not https, then i start doing the checkout process and it switches up to https://secureblablabla...for the shared hostgator stuff....then i try to move aorund the site and go back to checkout and its like the items arent in the cart then they are. its not saving the cart items when i have to relogin on the secure sitde....

 

if im using firefox it seems to be working fine. holds cart data. allows for test checkout all the way. cart gets emptied after test charge.

 

IE wont do what firefox is doing. dunno...

 

im not going to have this problem if i get the ssl cert with hostgator and dedicated IP will i?

Link to comment
Share on other sites

with hostgator and the shared ssl the only issused for me are that the doman name looks funky, and the customer actually will get a warning and continue to site page when the ssl is site is accessed....and i know from my own experience that warning is ugly and makes me nervous when browsing a site so i just close the site and go somewhere else. and if i do that, then that means others will. most people will not understand what a shared ssl is.

 

i do appreciate hostgator offering that to us as customers. i never knew about until the past few days.

 

because im on the baby croc style account, and if i wanted the ssl cert myself, they would do it for $50 a year, and $2 more a month tio have a dedicated IP. because of the fact that there is that warning page and the weird domain name, i just might go ahead and get that done...

 

now having a site with a ssl cert is the same as having it without one right? i just change 2 lines of code in the config file and i shouldnt have any issues right?

You are getting that warning because of a problem on your page. It's not due to the shared ssl. If you purchase an ssl, you will still have that problem. This assumes you have the configure files setup properly, of course. I'm guessing you didn't mean to say the following since that doesn't make any sense. It is like saying "holding a pencil in my hand is the same as not holding a pencil in my hand."
having a site with a ssl cert is the same as having it without one right?

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

i activated the ssl on the cart again to see it in action and i see a few issues already...with ssl activated...using IE9....i login to store, add some items to cart and its not https, then i start doing the checkout process and it switches up to https://secureblablabla...for the shared hostgator stuff....then i try to move aorund the site and go back to checkout and its like the items arent in the cart then they are. its not saving the cart items when i have to relogin on the secure sitde....

 

if im using firefox it seems to be working fine. holds cart data. allows for test checkout all the way. cart gets emptied after test charge.

 

IE wont do what firefox is doing. dunno...

 

im not going to have this problem if i get the ssl cert with hostgator and dedicated IP will i?

That's all because you don't have the configre file setup correctly. See How to setup a configure file for how to fix that. And, yes, you will have the same problems with a private cert, assuming the configure file is still not setup correctly.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

well i realized i didnt change the cookie domain, which i think was causing the issue...so now its setup looking something like this

 

 

  define('HTTPS_SERVER', 'https://secureHOST.hostgator.com/~ACCOUNT');
 define('ENABLE_SSL', true);
 define('HTTP_COOKIE_DOMAIN', '');
 define('HTTPS_COOKIE_DOMAIN', 'secureHOST.hostgator.com/~ACCOUNT');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');

 

i think before i also had the trailing slash on SERVER....seems to be working now with IE9. thats good news. ill do some more test and make sure its running right. the store isnt fully live yet so i have time.

 

before i didnt have anything in the cookie_domain area. ive read that page you linked...he doesnt explain that part well. should i have something int he cookie_path also or should i leave it as is? are my settings looking somewhere right?

 

i am only editing the config file in includes, not admin/includes

Link to comment
Share on other sites

here is a toypical setup taken from a live site:

define('HTTP_SERVER', 'http://www.yourdomain.com');
 define('HTTPS_SERVER', 'https://www.yourdomain.com');
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');
 define('HTTPS_COOKIE_DOMAIN', 'www.yourdomain.com');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');

incidentally, i have clients in the states none of them uses shared ssl because they are all *serious* business. if you are a spare time online shop owner, then i suggest you dont need any kind of ssl at all before it really takes off (if at all), especially the ugly shared ssl, that would save you lots of trouble - no one would be stupid enough to spend time to do this "sitting in the middle trying to intercept info/data transferring from pc to server" sort of thing, given that web traffic is so insignificant - who would go fishing when there is only in the water occasionally 1 or 2 fish passing by?

the alert caused by change of domain has nothing to do with web setup.

ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

  define('HTTPS_SERVER', 'https://secureHOST.hostgator.com/~ACCOUNT');
 define('ENABLE_SSL', true);
 define('HTTP_COOKIE_DOMAIN', '');
 define('HTTPS_COOKIE_DOMAIN', 'secureHOST.hostgator.com/~ACCOUNT');

 

i think before i also had the trailing slash on SERVER....seems to be working now with IE9. thats good news. ill do some more test and make sure its running right. the store isnt fully live yet so i have time.

 

before i didnt have anything in the cookie_domain area. ive read that page you linked...he doesnt explain that part well. should i have something int he cookie_path also or should i leave it as is? are my settings looking somewhere right?

You generally need the cookie domain set, even the non-ssl one. It may work without it, depending upon your server situation but that is just guessing. So the entry for HTTP_COOKIE_PATH should be your domain name, like www.mydomain.com.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

what about cookie path for the ssl on shared hostgator? does that need to be named something specific?

That's fine as it is.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

ok just to make sure i have this 1 set right for the time being...

 

this is from another store im working on. is this setting right in the config?

 

 

define('HTTP_SERVER', 'http://www.SITE.com');

define('HTTPS_SERVER', 'https://secureSERVERNUMBER.hostgator.com/~ACCOUNT/SITE.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', '');

define('HTTPS_COOKIE_DOMAIN', 'www.SITE.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

Link to comment
Share on other sites

ok just to make sure i have this 1 set right for the time being...

 

this is from another store im working on. is this setting right in the config?

 

 

define('HTTP_SERVER', 'http://www.SITE.com');

define('HTTPS_SERVER', 'https://secureSERVERNUMBER.hostgator.com/~ACCOUNT/SITE.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', '');

define('HTTPS_COOKIE_DOMAIN', 'www.SITE.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

No, you didn't set fine('HTTP_COOKIE_DOMAIN', '');.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Back to the original question:

hostgator offers a free SSL option that we have where we can use the shared SSL cert...the only issue with it is your entire site address has to change....

 

it has to look like https://SERVERsecure.hostgator.com/~ACCOUNTNAME/ so that just makes everything look wierd....

 

now, if i wanted a payment gateway installed with say authorize.net where i can process the payments right off the site, is it possible to just turn that checkout page into the shared ssl and make it https:// only on the checkout and then come back to the http after its all processed and done?

 

I agree that a shared SSL URL looks a little funky and could easily scare off customers. I'm not quite sure what you're aiming for here... osC normally uses SSL only for a few select pages involving sensitive information. If you're looking to set up a merchant account and payment gateway, you might as well spring for a private SSL certificate (and associated costs, such as a dedicated IP address), as the cost of the MA/PG is going to dwarf the cost of private SSL (especially once you pay for PCI-DSS certification so that you can handle customer credit card numbers). I'm not even sure that shared SSL will pass a PCI-DSS audit. Customers are still going to see your funky URL during credit card information entry, and may be frightened off.

 

Frankly, if you're pinching pennies to the extent that you're worried about the cost of a private SSL certificate, I think you'd be far better off using a third party payment system such as PayPal. That way, you don't even really need to have SSL capability, although customers may be a bit more willing to spend if they see SSL in use for passwords, etc. For such uses, a shared certificate may not scare off too many customers, as using one for a MA/PG likely would. As your business grows, you can eventually afford a private SSL certificate, and look more professional. Eventually you may have the volumes to make a MA/PG a viable alternative, and you'll be ready with SSL.

Link to comment
Share on other sites

To be clear, for those that might be confused by some of the statements made here, a shared ssl certificate is absolutely the same as a private one as far as how it works and the benefits it offers, assuming the same level of cert is purchased for both. The only significant difference is the url. In the best of all choices, a private ssl is preferred for that reason but it is really a minor point. I don't think many regular customers know the difference, nor would they care. If the lock is showing and the url has https, that is al that matters to most.

 

But choosing not to have an ssl because it is shared and running the shop without one is a mistake. The payment options would be secure as long as one of the external payment modules is used, like paypal, but your customers data is wide open. And even little old grandmothers know that the lack of the lock and https, which would occur in that case, is a mistake and will leave such sites. So running without an ssl certificate will definately cause lost sales.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

to make it even clearer, there are actually TWO differences between a shared ssl and a genuine ssl (one that issued to the domain ONLY): apart from urls, another significant difference is, when click on the padlock, which every grand-kids would know, it will state that the ssl is issued to someone/company who the potential customers would not expect and know nothing about - they would surely expect it to be the domain/website they are visiting, as they dont know/understand shared ssl, they would see this is dodgy and likely to steer away for another website to do the shopping, unless you are the only one selling moon stone.

so the chances of losing sales for a far less popular shop without ssl would be the same as one that uses a shared ssl, if not greater for the latter.

ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

Yes, the certificate is issued to someone else. I thought that was clear already. I suppose that is possible that it would scare someone off but I truly doubt it. I never look at a sites certificate - even for my own purchases - there just isn't reason to. And if it was different than the domain name of the site, I wouldn't think twice about using the site. What difference would it make? As mentioned, we have shops that host with us that use our shared ssl and have done so for years. We've had others that started out using it and decided it wasn't for them, many due to the appearance issue, and decided to go with a private ssl. I'm not saying a shared ssl is preferable over a private one but it is certainly a better option than none at all and is a good solution for those shops that can't afford, or just don't want to pay for, a private ssl.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

An idea: since the concern is that a shared SSL URL is kind of funky looking and unexpected (e.g., you're in http://trustworthybusiness.com/index.php and you click on a link and all of a sudden you're in https://someothercompany.com/~someOddName/enterPassword.php), how about adding a notice next to the link/button to SSL pages, letting customers know they'll be temporarily transferred to such-and-such URL? That would reassure them that indeed this odd URL is legitimate. The message would only appear if its text is defined in configure.php, so that if you are not using SSL, or are using a private certificate, no extra message shows up.

 

No SSL, or using private SSL certificate. In configure.php,

define('SHARED_SSL','');

[ LOGIN ]

 

Using a shared SSL certificate. In configure.php,

define('SHARED_SSL','<b>Note: this button or link will temporarily take you to a secure page https://MyServerName.MyHostName.com/~MyAccountName/<path_file>.This is normal.</b>');

[ LOGIN ] Note: this button or link will temporarily take you to a secure page https://MyServerName.MyHostName.com/~MyAccountName/<path_file>. This is normal.

 

Any place you have an SSL link, you would output SHARED_SSL after the </a>. You might repeat the tep_href_link() call to generate the actual URL (rather than hard coding it in the text), so it will be consistent with what the customer actually sees. It might even be best to have a new function to handle this, so the proper URL is generated and the proper language is used.

 

There's probably no need to do this on the admin side, as you should know about the shared SSL certificate. Now you've got the best of both worlds -- SSL protection where it's needed (on the cheap), and (most) customers not scared off by the jump to an odd looking URL. Admittedly it still looks a bit nonprofessional, and as soon as you can afford it you should probably move up to a private SSL certificate.

Link to comment
Share on other sites

not having

 

define('HTTPS_COOKIE_DOMAIN', 'www.SITE.com');

 

set seems to not make the store work right on viewing basket or checking out....seems to say the basket is empty after i add something to it and start checkout process

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...