398 replies to this topic

[DiMiT]

I tryed that little env.php thingy but it will only run from /secure directory otehr wise not found so I have screwed something somewhere
I also deleted the files outta secure as I have been reading and it seems I shouldn't have to move any files

I would really like some tips or help on this as I am gonna have a heart attack soon :/

sorry for being so dramatic
just very frustrating

[chrisytsma]

Dimit, you shouldnt have to move any files. I dont understand your exact situation. Do you own the domain airsoftkelowna.com? And are sharing a server or somehting? I dont get it. But try using only one domain.

Make your configure.php look like this, maybe it will work

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.securewebexchange.com/airsoftkelowna.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.securewebexchange.com/airsoftkelowna.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', www.securewebexchange.com/airsoftkelowna.com');
define('HTTPS_COOKIE_DOMAIN', 'https://www.securewebexchange.com/airsoftkelowna.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/airsoftkelowna.com/catalog');

Or try usig only one domain at a time. try that for both domains.

DOES ANYONE KNOW HOW TO MAKE THE ADMIN SSL WORK?

PLEEEEEEEEEEEEEEEEAAAAAAAAAAAAASSSSEEEEE!!!

Chris

[DiMiT]

that didnt seem to work yes I own domain airsoftkelowna.com

I don't know what else you would like me to include to give more insight into my problem other than my mental record :/

[jerryau]

Hi,

I have used Fantastico to install osCommerce on my host. The system is installed under catalog directory (e.g. http://myhost.com/catalog). The problem is when I try to access a page under HTTPS (e.g. login.php) -- I get a page not found error. I have generated my own certificates on my host, pointing to "myhost.com". How should I setup the paths in those files correctly? Any ideas how to make all this work?

Thanks,
Jerry

[chrisytsma]

jerryau, on Nov 10 2005, 06:07 PM, said:

Hi,

I have used Fantastico to install osCommerce on my host. The system is installed under catalog directory (e.g. http://myhost.com/catalog). The problem is when I try to access a page under HTTPS (e.g. login.php) -- I get a page not found error. I have generated my own certificates on my host, pointing to "myhost.com". How should I setup the paths in those files correctly? Any ideas how to make all this work?

Thanks,
Jerry

I hope this answers your question...
I posted this a little whiles back.

I have a bit of info that may be useful to some.

There are 3 files that I had to edit in order for my SSL to work properly. So far (and i may be mistaken), I have only seen 2 main files being mentioned. (and of course catalog/includes/application_top.php for checking if ur server settings match the ur code.)

Here are the files I had to edit:
1. admin/includes/configure.php
2. catalog/includes/configure.php
3. catalog/includes/local/configure.php

Once I editted all three of them, it worked flawlessly.

My Conficuration:
Godaddy certificate.
Hosted with Hostexcellence.com
osCommerce 2.2

And follow the info given on the first couple posts of this thread for instructions on how to edit the files.

Chris

[Darkstar3D]

chrisytsma, on Nov 9 2005, 01:17 AM, said:

DOES ANYONE KNOW HOW TO MAKE THE ADMIN SSL WORK?

PLEEEEEEEEEEEEEEEEAAAAAAAAAAAAASSSSEEEEE!!!

Chris

http://forums.oscommerce.com/index.php?sho...c=151162&st=20# works for me

[chrisytsma]

Darkstar3D, on Nov 13 2005, 01:31 PM, said:

http://forums.oscommerce.com/index.php?sho...c=151162&st=20# works for me

Thanks, I have tried everything i could find on this thread.

Mostly, people seemed to have solved the no admin ssl problem by changing the admin/configure.php file as ffollow:

change the top http server ssetting
define('HTTP_SERVER', 'http://www.mysite.com');
to
define('HTTP_SERVER', 'https://mysite.com');

Sadly, this didn't work for me.

I tried all types of different configurations too in the config file for admin. nothing works.

I even tried the getenv tests that AlanR posted and my server does respond to 'on' so i have no need to change my code in application_top.php.

I am still at a loss and have no clue how to simply get the admin ssl working correctly.

I followed the instructions on the first post over and over, looking for errors. Obviously that post is good but incomplete in its claims. At least for me...

Still looking for a help!

here is my admin/configure.php

  define('HTTP_SERVER', 'http://www.mysite.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
  define('HTTP_CATALOG_SERVER', 'http://www.mysite.com');
  define('HTTPS_CATALOG_SERVER', 'https://mysite.com');
  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
  define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
  define('DIR_WS_ADMIN', '/admin/');
  define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
  define('DIR_WS_CATALOG', '/catalog/');
  define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
  define('DIR_WS_IMAGES', 'images/');

Chris

[flood6]

I wanted to add another tip. This is mostly for people using DreamHost with their own secure domain (as in shared hosting with your own ssl), but the idea might work for someone else, too.

I had secure.mydomain.com as the https domain for mydomain.com . I tried every config tip I could find and nothing worked. Every time I clicked on a secure link I would get "No input file specified". DreamHost was no help when I asked their tech support, either.

Now, when you set up a new domain (or subdomain) with Dreamhost they create a new directory in your home with the name of the domain or sub domain. After the directory has been created in your home, delete it...that's right delete the directory that was just created with the name you are going to use for a secure (https) domain. Then create a softlink called "secure.yourdomain.com" (or whatever the name of your secure domain is) that points to the folder "yourdomain.com" (the folder with all your osCommerce files). Then just follow the instructions all over the place for making sure your configuration file is correct. If you don't know how to create a symbolic link do a google search for "create symlink linux" and you should find the help you need.

I have no idea about what impact this has on security, I just know it works.

[AlanR]

A note to posters who are requesting help in this thread:

Please read the sticky at the top of the Tricks & Tips Forum:

http://forums.oscommerce.com/index.php?showtopic=30722

Quote

About this forum

1. This is not a support forum. Do not ask questions here.
2. Do not ask for tips or tricks to be posted.

There's a couple logical reasons for these rules.

1) People are not casually watching this forum for help requests.
2) Every post which is not a tip or trick but rather a request for help makes the thread itself less useful for future readers, they'll have to wade through all the muck to find the useful posts.

Questions and requests for help belong either in General Support or Installation and Configuration. I try not to answer questions in this forum unless they directly relate to something I've posted.

OK, enough lecturing...
=======================================

I recently received a question about the session id appearing in the address bar when a user is in the secure areas using shared ssl.

Quote

The session ID shows for the first product, then goes away. Then the session reappears in the URL for secure pages and remains on them. Goes away after I surf to regular pages. I'm assuming this is https cookie in my config file, but I've tried a bunch of things.

That's exactly the way it works for anyone using a shared ssl setup. The browser can not read a cookie issued by a different domain, this is basic internet security. (There was a bug in an early version of Windows IE which could be exploited to fool the browser if a site carefully set for the exploit, knowing the targets, it's since been fixed.)

So when your browser switches to secure.somehost.com/your_user_id the browser is looking at secure.somehost.com, it's not permitted to read cookies set for yourdomain.com and shouldn't even acknowledge that such a cookie exists. Therefore osC puts the session id in the url while you're in secure sections. It is the same for everyone and it's the reason why force cookie use always fails on setups using shared ssl, people always get the cookie usage page and ask why.

I don't think it's a big deal, the risk is small since it's only in the secure areas that the session id appears and there's very little chance a search engine could find an https address with the session id info. Search engines don't scan https addresses.

Edited by AlanR, 17 November 2005, 19:29.

[claybird]

Regarding the infamous message of "some items on this page are not secure...etc", and subsequently not getting the much desired padlock icon....

Thought I'd share my specifc problem in the event it might help someone else.

When you embed a flash animation you end up with a couple lines similar to:
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
-and-
pluginspage="http://www.macromedia.com/go/getflashplayer"

I'd been stumped because despite the fact that everything on my site was local to the site and referenced with relative paths (including my swf flash animations), etc, I was still getting the warning that "some items on this page are not secure...".

Turns out those two lines listed above are enough to cause that problem. By changing each one to "https" my pages passed the security checks and I got my beloved padlock.

So, instead of the above lines you would need:
codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
-and-
pluginspage="https://www.macromedia.com/go/getflashplayer"

Again, hope this additional check can help some other stumped coder some time.....

[AlanR]

claybird, on Nov 20 2005, 07:31 PM, said:

Regarding the infamous message of "some items on this page are not secure...etc", and subsequently not getting the much desired padlock icon....

When you embed a flash animation you end up with a couple lines similar to:
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
-and-
pluginspage="http://www.macromedia.com/go/getflashplayer"

I'd been stumped because despite the fact that everything on my site was local to the site and referenced with relative paths (including my swf flash animations), etc, I was still getting the warning that "some items on this page are not secure...".

So, instead of the above lines you would need:
codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
-and-
pluginspage="https://www.macromedia.com/go/getflashplayer"

Again, hope this additional check can help some other stumped coder some time.....

There's an even simpler solution. Make those Flash/Macromedia links like so:

codebase="//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
-and-
pluginspage="//www.macromedia.com/go/getflashplayer"

Leave out the http or the https completely. When the browser switches modes the urls will switch with it

[andytc]

I have SSL working on my site , but when i log-in to Admin , the first screen informs that me that "You are not protected by a secure SSL connection" (Bottom left) and displays a small un-locked padlock image.


I do have SSL and it works on the site with no problems.

The site was installed with fantastico and i chose the SSL option = "yes"


What steps do i have to take to cure this ?

[Sean416]

andytc, on Nov 21 2005, 01:25 PM, said:

I have SSL working on my site , but when i log-in to Admin , the first screen informs that me that "You are not protected by a secure SSL connection" (Bottom left) and displays a small un-locked padlock image.
I do have SSL and it works on the site with no problems.

The site was installed with fantastico and i chose the SSL option = "yes"
What steps do i have to take to cure this ?

I have this exact same problem, any help would be appreciated.

[AlanR]

andytc, on Nov 21 2005, 01:25 PM, said:

I have SSL working on my site , but when i log-in to Admin , the first screen informs that me that "You are not protected by a secure SSL connection" (Bottom left) and displays a small un-locked padlock image.
I do have SSL and it works on the site with no problems.

The site was installed with fantastico and i chose the SSL option = "yes"
What steps do i have to take to cure this ?

The reason for that is very simple.

Here's the code from /catalog/admin/index.php which flips that little padlock and its associated message on or off.

if (getenv('HTTPS') == 'on') {
	$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');
	$contents[] = array('params' => 'class="infoBox"',
						'text' => tep_image(DIR_WS_ICONS . 'locked.gif', ICON_LOCKED, '', '', 'align="right"') . sprintf(BOX_CONNECTION_PROTECTED, $size));
  } else {
	$contents[] = array('params' => 'class="infoBox"',
						'text' => tep_image(DIR_WS_ICONS . 'unlocked.gif', ICON_UNLOCKED, '', '', 'align="right"') . BOX_CONNECTION_UNPROTECTED);
  }

You may need to change the (getenv('HTTPS') == 'on') part if you've changed it before to get ssl working. As to the wording of the message, I've yet to use a server which actually returns anything for (getenv('SSL_CIPHER_ALGKEYSIZE') so the message will be the one that BOX_CONNECTION_UNKNOWN points to in your language file.

By playing with those lines and your language file you can get any result you wish.

[AlanR]

I accomplished this:

[img]http://simbalala.com/remote/RC4.gif[/img]

on a dedicated ssl which requires (getenv('HTTPS') == '1') and changing the definition of BOX_CONNECTION_UNKNOWN in admin/languages/index.php

[nearmars]

mysite is www.mylarimar.com
The osc site seperately works in both secure and nonsecure mode.
THe problem is there is a totally seperate session created on the secure server, so session info (shopping cart contents) is not passed over.
i am using cookies both environments are setting their own cookies. i guess i could hack this and force it to create a cookie with the ssl server info, but it seem like there should be a better way of doing this.

here are my config settings:
define('HTTP_SERVER', 'http://www.mylarimar.com');
define('HTTPS_SERVER', 'https://mylarimar.securewebsite.net');
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', '');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

BTW if i add the cookie_domain lines no cookies are written at all and each click generates a new session id.

Ok well, thanks for any help.

Mike

ps sorry for the double post if anyone is keeping track. i did not get any good answers when i started a new topic. cheers

[andytc]

Hi

I have Osc installed and running , the problem i have is the admin area.

if i log into admin via HTTPS , i get the the secure padlock symbol on the first page of the admin section. When i go into any admin section past the first screen the HTTPS disapperears.

How do i configure the admin to be secure throughout and use HTTPS ?

[jamesepain]

I think its only the checkout that uses SSL, not the admin area.
Besides, if you have a good password you should not need it.

[andytc]

My SSL works fine in the catalog area , but not in ADMIN ??

I've read this thread , searched , posted , but had no joy yet.

I've run the script posted by alanR , the mynev one , ran it on the https and http and eventually got the result of "443" , so i put that in catalog/includes/application_top.php ..... checked all the other files mentioned, but no joy in scuring the admin area.

I log into admin on HTTPS , get the padlock and the "you are protected by an unknown .....blah , blah" then when i enter any admin section other than the first screen i'm back to non-secure ????


any help

[andytc]

jamesepain, on Nov 28 2005, 10:55 AM, said:

I think its only the checkout that uses SSL, not the admin area.
Besides, if you have a good password you should not need it.

No , admin area can use it , thanks anyway