SSL

[osrw]

Hi, Please help me on SSL.

I tried to add my "shared SSL" to includes/configure.php file as:

 

define('HTTP_SERVER', 'http://pearli.com');

define('HTTPS_SERVER', 'https://XXX.XXX.net/~username/');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'pearli.com');

define('HTTPS_COOKIE_DOMAIN', 'XXX.XXX.net/~username/');

 

I did a test purchase and found the https showing double // at : /~username//main/.... Then I went back to configure.php and got rid of this / after username as :

define('HTTPS_SERVER', 'https://XXX.XXX.net/~username');

define('HTTPS_COOKIE_DOMAIN', 'XXX.XXX.net/~username');

At this time, I logged off the PC and came back in.

I went back to the website again and tried to login. The system did not let me in as the existing user, I assumed that the https server did not have my login info from the http server, therefore, I tried to create a new user under https. I did several times but failed. I logged off again.

Now, I got these messages on my website:

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/username/public_html/main/includes/configure.php:48) in /home/username/public_html/main/includes/functions/sessions.php on line 67

 

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/username/public_html/main/includes/configure.php:48) in /home/username/public_html/main/includes/functions/sessions.php on line 67

 

Then, I modified the configure file as follows but afraid to try anything:

define('HTTP_SERVER', 'http://pearli.com');

define('HTTPS_SERVER', 'https://XXX.XXX.net/~username');

define('ENABLE_SSL', false); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'pearli.com');

define('HTTPS_COOKIE_DOMAIN', pearli.com');

 

Please help me to get rid of the warnings. Thank a lot.

[AlanR]

You had it almost right the first time

 

define('HTTP_SERVER', 'http://pearli.com');

define('HTTPS_SERVER', 'https://XXX.XXX.net/~username/');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'pearli.com');

define('HTTPS_COOKIE_DOMAIN', 'XXX.XXX.net/~username/');

 

Leave off the slashes ie:

 

define('HTTPS_SERVER', 'https://XXX.XXX.net/~username');

define('HTTPS_COOKIE_DOMAIN', 'XXX.XXX.net/~username');

 

Oh yeah, be afraid. You might break the server, then you'll have to pay for it. :P

 

Here's how to fix the errors you created. http://wiki.oscommerce.com/WarnHeader

[osrw]

It worked. Thanks Alan.

Another problem. When I tried to log in, I have a list of duplicate entries at the end of the website with 'a session is active' warning and the system would not log me in.

 

Please advise on how to fix this problem.

 

1062 - Duplicate entry '7899118e2f59c4df9e9557d0bf11c1a8' for key 1

 

insert into sessions values ('7899118e2f59c4df9e9557d0bf11c1a8?osCAdminID=00f67e90e52bb1105b2d0d8d17b4142c', '1081208066', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationhistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:9:\"login.php\";s:4:\"mode\";s:3:\"SSL\";s:3:\"get\";a:2:{s:6:\"osCsid\";s:76:\"7899118e2f59c4df9e9557d0bf11c1a8?osCAdminID=00f67e90e52bb1105b2d0d8d17b4142c\";s:10:\"osCAdminID\";s:32:\"00f67e90e52bb1105b2d0d8d17b4142c\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}')

 

[TEP STOP]

 

1062 - Duplicate entry '7899118e2f59c4df9e9557d0bf11c1a8' for key 1

 

insert into sessions values ('7899118e2f59c4df9e9557d0bf11c1a8?osCAdminID=00f67e90e52bb1105b2d0d8d17b4142c', '1081208066', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationhistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:9:\"login.php\";s:4:\"mode\";s:3:\"SSL\";s:3:\"get\";a:2:{s:6:\"osCsid\";s:76:\"7899118e2f59c4df9e9557d0bf11c1a8?osCAdminID=00f67e90e52bb1105b2d0d8d17b4142c\";s:10:\"osCAdminID\";s:32:\"00f67e90e52bb1105b2d0d8d17b4142c\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}')

 

[TEP STOP]

 

 

Warning: Unknown(): A session is active. You cannot change the session module's ini settings at this time. in Unknown on line 0

[AlanR]

http://www.pearli.com/main/

 

Looks OK to me. Maybe you just need to clear your browser cache.

[osrw]

Hi, Alan:

Thanks for the testing. I cleared my browser cache and asked my sister to test it from a different PC. We both got the same error duplicate entries and warnings on our screens. (You need to scroll down the page to the bottom to see them) Of cause, my sister and I have different sid numbers.

 

After the account was created, the Welcome ?Guest? did not change to the login name. It remains ?Guest?, even though the customer name was created in the customer file under admin. However, it?ll change the ?Guest? (allow you to log in) to your login name when you check out.

 

I thought it might be due to the blank spaces and lines on the login.php. But I tried to delete the extra one line and blank characters after the ?> in login.php (with 755 permission), it would not save the change.

 

Please wave your magic wand and help me get rid of these unwanted error messages. Thanks again.

[AlanR]

I thought it might be due to the blank spaces and lines on the login.php. But I tried to delete the extra one line and blank characters after the ?> in login.php (with 755 permission), it would not save the change.

Now I got the error.

 

Before, I created an account and everything.

 

You've got to clean up that white space, you have no choce. How are you editing? Don't use the admin editor, edit the file locally and send it up in ascii.

[osrw]

I got rid of white space using notepad on both main/login.php and main/includes/language/english.login.php. The errors are still there.

 

What's next? Help!!

[osrw]

The error messages are still there, please see below. Should I modify SSL Session Id to true? Currently is set for false.

 

1062 - Duplicate entry 'b10ff4c15c3db9a8fedefa5b23d53399' for key 1

 

insert into sessions values ('b10ff4c15c3db9a8fedefa5b23d53399%3FosCAdminID%3D00f67e90e52bb1105b2d0d8d17b4142c', '1081206682', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationhistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:9:\"login.php\";s:4:\"mode\";s:3:\"SSL\";s:3:\"get\";a:2:{s:6:\"action\";s:7:\"process\";s:6:\"osCsid\";s:76:\"b10ff4c15c3db9a8fedefa5b23d53399?osCAdminID=00f67e90e52bb1105b2d0d8d17b4142c\";}s:4:\"post\";a:5:{s:6:\"osCsid\";s:80:\"b10ff4c15c3db9a8fedefa5b23d53399%3FosCAdminID%3D00f67e90e52bb1105b2d0d8d17b4142c\";s:13:\"email_address\";s:21:\"[email protected]\";s:8:\"password\";s:5:\"xxxxx\";s:1:\"x\";s:2:\"49\";s:1:\"y\";s:2:\"13\";}}}s:8:\"snapshot\";a:0:{}}customer_id|s:2:\"14\";customer_default_address_id|s:2:\"14\";customer_first_name|s:4:\"rose\";customer_country_id|s:3:\"223\";customer_zone_id|s:2:\"43\";')

 

Thank you in advance.

[AlanR]

Where did you find that? In application_top.php?

 

That's not normally a user set variable. Did you change it from 'true'?

 

Are your sessions set to 'mysql'

[AlanR]

You really should post the entire configure.php file minus the private info.

 

It's hard to work in the dark.

[osrw]

No, I did not set the session id to true.

Here is the entire main/includes/configure.php:

 

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://pearli.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://securex.dr2.net/~username'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'pearli.com');

define('HTTPS_COOKIE_DOMAIN', 'securex.dr2.net/~username');

define('HTTP_COOKIE_PATH', '/main/');

define('HTTPS_COOKIE_PATH', '/main/');

define('DIR_WS_HTTP_CATALOG', '/main/');

define('DIR_WS_HTTPS_CATALOG', '/main/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/roselwen/public_html/main/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'localhost'); // eg, localhost - should not be NULL for productive servers

define('DB_SERVER_USERNAME', 'xxxxxxx');

define('DB_SERVER_PASSWORD', 'xxxxxxxx');

define('DB_DATABASE', 'xxxxxx');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

?>

 

The duplicate entry will be generated when you try to login. You need to scroll down the login page to the bottom to see them on the screen.

 

Thanks a lot.

[AlanR]

Ok, it's a setting in admin.

 

I'm not familiar enough with the code to easily trace this down but it looks like it's trying to set the sid twice.

 

Try going to admin and setting re-create session to true. It's in configuration -> sessions.

[osrw]

I changed the session id to true, unfortunately, the same error messages appear.

 

Should I change it back to false?

 

However, with or without the changes on session id, the "My Account" button works fine. It did not work on "log youself in".

 

Thanks

[osrw]

It did not work on "create an account" button either.

[AlanR]

I did a forum search and came up with this: http://www.oscommerce.com/forums/index.php?showtopic=77591&hl=

 

Search on "1062 - Duplicate entry" and you'll find more.

 

One obvious thing to try is in admin-> configuration->sessions set 'force cookie' to 'true' but this means the people with cookies turned off can't use the site.

 

Just a note:

 

When you're troubleshooting something and you make a change that does not help change it back.

 

Many novices make change after change without reverting and pretty soon they don't know what's up and what's down.

[osrw]

Hi, Alan:

The link you provided seems to have different duplicate entry contents. I could create users and place orders. It's the login process messed up the bottom of the screen with all those duplicate entries trying to insert into sessions values.

 

So I went to wiki's website and found "Sessions" under document admin-configuration-sessions (listed below) which I didn't fully understand.

Sessions:

A session is a unique number assigned to a client (visitor). The unique number is also used as a filename in /tmp

 

Because the client has the number on his URL (or in a cookie) you can keep track of what he/she wants /does by writing data to the session file. That data is also available in your scripts.

 

So in order for your sessions to work (file based) the php script (which is ran by the webserver) needs write access to a directory (like /tmp).

 

If this directory lives WITHIN your document root (remotely accessible by a browser) it is a security threat as people can actually read other peoples' session files in their browser.

 

Consider this:

 

http://www.yoursite.com/sessions/

 

If you had directory listings on I would get a nice list of all current sessions on your site on that moment. If I would click one it would show me the contents and if I would copy it and use it as my own session I could impersonate that specific user... (session hijacking)

 

If it lives OUTSIDE the doc root you can not reach it from the outside world. The webserver itself can.

 

So find out who your webserver runs as (linux is usually nobody from group nobody) and change ownership (chown) of the dir to that. Next you chmod it 700 which makes it only accessible to that user/group.

 

It is up to you where you want to store your sessions, mysql or files. The mySQL option is offered for shared hosting accounts where loads of people use the /tmp directory making the chance of session hijacking or session mistakes bigger.

 

 

Does it mean that if I set admin-config-sessions directory to /tmp, which I do, I cannot :

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

and the STORE_SESSION has to leave empty in my configure.php?

 

I really don't want to set 'force cookie' to true.

 

Please help...

[AlanR]

I've visited your site recently. Logged in and out a couple times and coudn't get the problem to re-occur.

 

I understand how sessions work. I did have a question though. What version are you running? When I look at your config file it's got slightly different identifiers at the top than the one in the MS2 release I keep a copy of locally. The reason I ask is that I was looking at the change log for MS2 (the document which describes changes from version to version) and the SSL Session Id seems to be something new introduced in MS2 as a security feature.

 

I was just wondering if you've mixed files from MS1 and MS2.

 

I just tried another log in and the problem is back. It's intermittent.

 

Go ahead and set Check SSL Session ID to true in admin and see what happens. You can always change it back.

[AlanR]

The admin and the catalog should run independently but I would not choose different session storage for the two. Set them both to 'mysql'. Who knows, you may have found some obscure bug by setting them differently.

[AlanR]

Oh, that is interesting. When I look at the url when attempting to log in it contains the

 

session id for the catalog and admin. How is the admin session ID sneaking in there? Three times?!?!

 

Definitely use the same technique for the two progams. Just use 'mysql'.

 

https://secure9.dr2.net/~roselwen/main/inde...bf137e3bd128%3F

 

osCAdminID%3D00f67e90e52bb1105b2d0d8d17b4142c%3F

 

osCAdminID%3D00f67e90e52bb1105b2d0d8d17b4142c%3F

 

osCAdminID%3D00f67e90e52bb1105b2d0d8d17b4142c

[osrw]

My version is MS2.

I tried SSL Session id to true, the same results as false. I set it back to false.

I'm not sure what path will make the two to point to the same directory. Should I modify admin-config-sessions' session directory from /tmp to /myspl?

[osrw]

I set the admin-config-sessions' session directory from /tmp to /mysql and the results are the same.

I'm getting 1 user sid and 2 admin id.

https://secure9.dr2.net/~roselwen/main/logi...2d0d8d17b4142c&

osCAdminID=00f67e90e52bb1105b2d0d8d17b4142c

 

I'll leave it to /mysql for now until you test it out.

Thanks

[AlanR]

Post the admin config file.

[osrw]

version is osCommerce 2.2-MS2

[AlanR]

Let's see the admin config.

[osrw]

here it is: admin-config-sessions:

 

Session Directory /mysql

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address False

Prevent Spider Sessions True

Recreate Session False