Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL and session loss?


Guest

Recommended Posts

I have read about 100 posts on this and it seems no one comes back and lets anyone know if they solved there problem with losing sessions on a shared ssl cert site (using webhosts cert) when going into ssl for checkout.

 

I have tried a dozen configurations in my configs but cant seem to get a change or pass the session properly to the new url. I do have my own cert but it isnt installed yet and I am waiting on them to do so which could take a few days, I would rather get a headstart and learn about how the sessions work now so I know what I have to do when the cert is installed.

 

How are the configs supposed to be set up for a shared cert vs your own ssl certificate? Any help is appreciated and oscommerce is what I have been looking for to use as my ecommerce solution but can seem to get it going securely.

Link to comment
Share on other sites

I think I found a hint on this wiki page about using mySQL for sessions on shared servers. I think I may need to implement this but I am not sure where that option might be.

 

Sessions Info

 

 

A session is a unique number assigned to a client (visitor). The unique number is also used as a filename in /tmp

 

Because the client has the number on his URL (or in a cookie) you can keep track of what he/she wants /does by writing data to the session file. That data is also available in your scripts.

 

So in order for your sessions to work (file based) the php script (which is ran by the webserver) needs write access to a directory (like /tmp).

 

If this directory lives WITHIN your document root (remotely accessible by a browser) it is a security threat as people can actually read other peoples' session files in their browser.

 

Consider this:

 

http://www.yoursite.com/sessions/

 

If you had directory listings on I would get a nice list of all current sessions on your site on that moment. If I would click one it would show me the contents and if I would copy it and use it as my own session I could impersonate that specific user... (session hijacking)

 

If it lives OUTSIDE the doc root you can not reach it from the outside world. The webserver itself can.

 

So find out who your webserver runs as (linux is usually nobody from group nobody) and change ownership (chown) of the dir to that. Next you chmod it 700 which makes it only accessible to that user/group.

 

It is up to you where you want to store your sessions, mysql or files. The mySQL option is offered for shared hosting accounts where loads of people use the /tmp directory making the chance of session hijacking or session mistakes bigger.

Link to comment
Share on other sites

well, now that I got my ssl cert installed by my host the session seems to be working correctly but I have some wierd DNS things going on.

 

At my real job we have terminals off a server with internet access (I am typing this on it) when I try and go to my site without ssl I get a 404. When I go to my site from my laptop I get through ok and ALL seems well. Can someone look and see if you can get through.

 

http://www.ripperracing.com/mall/catalog

Link to comment
Share on other sites

Thanks! I figured out what was happening although I never did get the session to hold using my providers ssl cert I was able to fine when I got my own and had them install it. But what happened was my IP must have changed for my old unsecure site to the new one with a redirect of some sort, only text was showing up but no pictures.

 

My webhost gave me the raw ip number and it worked fine with http and https so i figured I would wait to see if the DNS would get updated and I guess it did.

 

and there you have it, my cart is up, just some new buttons and graphics and it will be good to go.

 

thanks guys

Link to comment
Share on other sites

HI MIKE

 

yea your site seems to work ok.

I like the way youve done your header image, how did you insert that? Ive tried various header backgrounds myself but they never seemsed to fit properly.

 

cheers. :)

Link to comment
Share on other sites

I inserted it into header.php in place the stock one.

 

<table border="0" background="/images/topbackground.jpg" width="100%" cellspacing="0" cellpadding="0">

 <tr class="header">

   <td valign="middle"><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image(DIR_WS_IMAGES . 'ripperheader.jpg', 'RipperRacing') . '</a>'; ?></td>

   </tr>

</table>

 

But you have to upload the files to right directory in images, it took me like an hour to figure it out. I have 2 files up there, one is the logo "ripperheader.jpg and the other one is a very thin (like 2 or 3 pixels wide which makes it a quick download "background" image the same height as the regular logo but it repeats across the top because its the background for the entire table.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...