Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Big SSL problems.


Recommended Posts

I am trying to set up osCommerce on a server I am hosting.


I'm using a Win XP box, running Visnetic Website, obviously configured with php and mysql.


I've been over the config files and set them all up to the point that I am confident I didnt miss any settings.


For the most part the site runs fine, until I go to a secure page (for the sake of argument, the user login page). The site switches over to the https address, but no lock appears in the bottom right corner of the browser.


The reason, it seems, is because the site is not setting the BASE URL to the secure address, instead setting it to the unsecure one. If I manually hard code these values, then the pages do show up as secure. This seems to be because with the BASE URL set to the standard http address, the css and images files are called unsecure, and as such cannot be loaded as secure. I'm not sure of why, but IE isnt throwing up an error saying there is mixed content ... its just not showing that lock logo in the browser.


After a long look aroud, I discovered that the isapi version of PHP doesnt allow the use of getenv(), meaning that all of the calls to find out the status of the site security come back empty. So, I figured that was the problem.


So, instead of changing the files around, I just switched my server back to use the CGI version or PHP, thus enabling that comand and fixing the problem. Except ... it still doesnt work.


I'm just in desperate need of a solution guys. Any help you can give would be great.


The site is at http:\\www.smartabase.com.au, and the secure site is https:\\update.smartabase.com.au


Just in case you are wondering if the security certificate is actually working ... https:\\update.smartabase.com.au\test


For testing purposes, you can log in as :


[email protected]



Any solutions or suggested would be greatly appreciated. Also, in case it is needed, can anyone give me a list of the main php pages that need to be called as secure. For example, login.php. I can manually hard code the values if need be.


Thanks for reading this far. :rolleyes:

Link to comment
Share on other sites

Have you tried simply commenting out the "<base href=" tag (the whole line) in all of the PHP files in your webroot (/catalog or /)?

it sounds like you already proved that that works by hardcoding it.


Try it first on a few like account.php and login.php and see if that gets you the ssl lock that you are looking for.

the pages don't really need the base reference tag anyway as the server will figure out what the actual base is.


if that works, just comment it out in all of the php files.

Link to comment
Share on other sites

lostinOR - THANK GOD I am not the only one having this issue. Was beginning to think I was just loosing my mind.


fmerrill - Thanks for the suggestion. I'll give it a go and post back with the results.

Link to comment
Share on other sites

fmerrill - Fantastic. That seems to patch everything up happily.


I cant help but feel that something is still not quite right with the setup and running of the site, but I cant really see any problems thus far.


So for now I guess its just a site-wide find and replace of the line


<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">




<!-- <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>"> //-->


I suppose I could just delete the lines, but .. who knows .. I might need to put them back at some stage.


Thanks a bunch for the help guys. Great stuff. :D

Link to comment
Share on other sites

I am having the same problems now. I see that on your site stryks that the lock disappears in IE when entering secure site... have you made the above changes?

Link to comment
Share on other sites

dspan - Yeah, the above worked for me. The pages dont appear to work on the test URL because I have only changed one file on that site, that file being login.php


I'm going to go through and change them all ... I've just been testing on a different server.


As I said though, it all seems to work with the above changes.

Link to comment
Share on other sites

  • 2 weeks later...

I've got the same problem. I've set my config. files to point to my https.

My shop switches to the https when you go to checkout, and switches back when you return to the main store. The address for the checkout pages shows up as https, good!



no lock.

I tried the fix above on the checkout_shipping.php, but no lock.

actually, my "base href" line looks like this:


<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">


I tried removing it, but no lock.


any ideas?

Link to comment
Share on other sites

the commenting out or removing trick isn't working for me.

maybe it's because my basehref line is different. mine says.


<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">


i think i'm using version 2.1, it was installed by my webhost.


any ideas?



noah d.

Link to comment
Share on other sites

hey marco, i'm obviously new at this, but if you pretend to be a customer on your site (register buy something, and checkout), you can see what secure (https) pages you go through in the address bar on your browser. i'd assume those are the ones that you alter the code on.


of course, i could be completely wrong, i can't get the lock at all.


good luck,

noah d.

Link to comment
Share on other sites

yeah, i get the secure lock and the https: by commenting out <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">..., but for example, when i create a new account, click on continue, then it takes me to a Your Account Has Been Created! page, then i click continue, it takes me back to the main index page, and if i click on My Account it takes me back to the login page. If i log in as a returning customer and then click on My Account, it takes me back to the login page again. Am I doing something wrong? Can someone please help, thanks in advance!

Link to comment
Share on other sites

  • 3 weeks later...

Here's the simplest solution and I believe this fix should be carried forward in the next version of osCommerce, I'll post it in the suggestion section as well.


The osCommerce code uses the getenv() function to determine if we're in HTTPS mode. This according to PHP docs at php.net doesn't work in ISAPI mode. Soooooo, we have to use code that's a little uglier (but more portable)


Here's my change:


In the file includes/application_top.php


on or around line 42


REPLACE this line:

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';



WITH this line:

$request_type = ($HTTP_SERVER_VARS['SERVER_PORT'] == 443) ? 'SSL' : 'NONSSL';


Note that this assumes that your SSL port is using the default and standard 443. Don't know why anyone would change that. lol.


I tested it on my server and everything is back to normal. :)

Link to comment
Share on other sites



It occured to me since getenv() didnt work with ISAPI that this occurance in the code may not be the only problem with osCommerce. I read of other problems like IP addresses not being found etc... low and behold, getenv() is used a lot throughout the code so I went ahead and made most of the changes required to fix most of the problems.


Here's a link to the updates:



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...