Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

The SSL In OsCommerce Guide For The Innocent


Simplyeasier

Recommended Posts

I have my main site on a non ssl server and have shared SSL from my hosting company. They say put a copy of the site on the SSL server as well as the normal server. I have done this but now get errors such as thousands_point() function does not exist. If I go to checkout I get a similar error but a different function does not exist.

 

The code on each server is identical and I have checked again but the site will not work in secure mode only without SSL.

 

Any ideas or help please.

 

cheers

 

john

Link to comment
Share on other sites

  • 4 weeks later...
  • Replies 401
  • Created
  • Last Reply

I have a strange issue with my private SSL that I think is a result of the settings in my configure.php file, but I am totally stumped. For security reasons, I can't show the code or the URL, so please PM me so I can send you the info.

 

I have two environments for my server:

1. Test

2. Production

 

The Private SSL in production works perfectly. That is, anytime a user goes from the catalog to My Account or checks out, they are properly redirected from the production HTTP_SERVER to the production HTTPS_SERVER.

 

The Private SSL in test does not work as expected. Anytime a user performs the same steps above, they are improperly redirected from the test HTTP_SERVER to the production HTTPS_SERVER. I need this set to point to the test HTTPS_SERVER so I can continue performing my integration tests.

 

Any help would be appreciated. Please PM me. :rolleyes:

Link to comment
Share on other sites

I have a strange issue with my private SSL that I think is a result of the settings in my configure.php file, but I am totally stumped. For security reasons, I can't show the code or the URL, so please PM me so I can send you the info.

 

I have two environments for my server:

1. Test

2. Production

 

The Private SSL in production works perfectly. That is, anytime a user goes from the catalog to My Account or checks out, they are properly redirected from the production HTTP_SERVER to the production HTTPS_SERVER.

 

The Private SSL in test does not work as expected. Anytime a user performs the same steps above, they are improperly redirected from the test HTTP_SERVER to the production HTTPS_SERVER. I need this set to point to the test HTTPS_SERVER so I can continue performing my integration tests.

 

Any help would be appreciated. Please PM me. :rolleyes:

 

BUMP

Link to comment
Share on other sites

Does the below look correct assuming if I'm using a shared SSL?

define('HTTP_SERVER', 'http://www.mysite.com');

define('HTTPS_SERVER', 'https://ssl.perfora.net/mysite.com');

define('HTTP_SERVER_BREADCRUMB', 'http://www.mysite.com/catalog/index.php');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');

define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/www.mysite.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

That doesn't look right to me. The https path for a shared SSL should look more like "'https://ssl.perfora.net/~accountname'. Ask your provider what your link is for their shared SSL if you are not sure.

Link to comment
Share on other sites

Hi,

 

I'm sure someone here will have a solution for this one, since enabling SSL in my admin area I cannot download the csv file produced when i export my orders.

 

Internet Explorer gives the error message

 

error.jpg

 

Any ideas?

 

Thanks

 

Dave

Link to comment
Share on other sites

I found some further info with regards this from Microsoft here http://support.microsoft.com/kb/316431

 

It says the resolution is:

 

RESOLUTION

Web sites that want to allow this type of operation should remove the no-cache header or headers.

 

I found that just adding this into exportorders.php fixed it, but I'm not sure what the repercussions will be

 

Regards

 

Dave

Link to comment
Share on other sites

  • 5 months later...

I've just installed a ssl to my page. done everything said here, my page is working fine. BUT..... there is always a But..... I can not login in my admin. and the shoping cart is not working, it does not load the products, and when it does, it doesn't remove them.

 

HEEEEEEEEEEELP!!!!

Link to comment
Share on other sites

  • 4 weeks later...

THANKS FOR ADDING THIS INFORMATION!

 

I've found something that might help too if anyone is having trouble with their pages not looking secure. I had installed my SSL certificate, and it seemed to be working ok on my "under construction" page that I called index.html. That page had an image sourced from another site that uses the same logo, but a different domain name. This didn't cause me to lose authentication. That page still received a locked padlock.

In my catalog, at index.php however, I was receiving a crossed out padlock, with a message attached that the site was secure, but not all information had been encrypted. As was mentioned before, this looks worse than not having SSL at all to a customer. Well after some trouble shooting I realized that it was an embedded .SWF that I was using as a header that caused any page with that header to give the warning message. When I moved the .SWF into my index.html, it caused that page to appear unsecure too, the original one that was working fine!

 

So, watch out when using flash or any embedded objects. I don't understand this fully but I guess embedded flash content doesn't play well with SSL encryption.

 

Feel free to correct me if I'm wrong about this.

Link to comment
Share on other sites

Need a little help.

 

I just went back to the original “How to install SSL on OSC: A Simple 1-2-3 Instruction” and followed the directions but I get no SSL showing unless I add the s to http://. Then when I hit the create an account button it goes right back to http:// unsecure.

 

This is what I have listed:

 

 

In catalog/includes/configure.php,

define('HTTP_SERVER', 'http://www.roaddawg5k.com');

define('HTTPS_SERVER', 'https://roaddawg5k.com');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.roaddawg5k.com');

define('HTTPS_COOKIE_DOMAIN', 'roaddawg5k.com');

 

In admin/includes/configure.php

define('HTTP_SERVER', 'https://roaddawg5k.com/');

define('HTTP_CATALOG_SERVER', 'https://roaddawg5k.com/');

define('HTTPS_CATALOG_SERVER', 'https://roaddawg5k.com/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

Am I missing something? Any help would be very much appreciated.

Link to comment
Share on other sites

earlier today I've resolved, or in fact my provider resolved an issue for which I believe others might run into as well

 

(when it comes to software I always say that no problem can be unique :rolleyes: )

 

It started with installing SSL and being happy that my first https pages such as login and cart were working. The exercise became quite frustrating when things weren't working for all the checkout pages: html, formats and layouts were complete gone, all left was a pile of rubbish on each page. Nobody had a clue about what was going one with OsC.

 

At the end it turned out it wasn't OsC. In stead it is a function used within OsC in the general.php called Eval for which the usage under https, together with using Suhosin (a protection system for php installations) is switched off at many providers for security and protection reasons.

Link to comment
Share on other sites

I believe I got everything set up properly but I'm not sure if this behavior is normal:

 

Browsing the entire site normally gives me http in the address bar. Once I click the my account link to login or checkout, it changes to https. Now that's good and all but once I return back to a different link other than the login page, all the pages still stay as https, even those that were http previously. Also, removing the 's' in https, even when logged in gives me the http link of the current page I'm viewing. Is this normal?

Link to comment
Share on other sites

/includes here

 

 

CODE

<?php

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.portagebeverage.com');

define('HTTPS_SERVER', 'http://www.portagebeverage.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'www.portagebeverage.com');

define('HTTPS_COOKIE_DOMAIN', 'www.portagebeverage.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/www/portagebeverage.com/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

define('DB_SERVER', 'supremecenter35.com');

define('DB_SERVER_USERNAME', 'massnaz_pbdb');

define('DB_SERVER_PASSWORD', 'rjpbdb321');

define('DB_DATABASE', 'massnaz_pbdb');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

?>

 

 

admin/includes here

 

 

CODE

<?php

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.portagebeverage.com');

define('HTTP_CATALOG_SERVER', 'http://www.portagebeverage.com');

define('HTTPS_CATALOG_SERVER', 'http://www.portagebeverage.com');

define('ENABLE_SSL_CATALOG', 'true');

define('DIR_FS_DOCUMENT_ROOT', '/home/www/portagebeverage.com/catalog/');

define('DIR_WS_ADMIN', '/catalog/admin/');

define('DIR_FS_ADMIN', '/home/www/portagebeverage.com/catalog/admin/');

define('DIR_WS_CATALOG', '/catalog/');

define('DIR_FS_CATALOG', '/home/www/portagebeverage.com/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

define('DB_SERVER', 'supremecenter35.com');

define('DB_SERVER_USERNAME', 'massnaz_pbdb');

define('DB_SERVER_PASSWORD', 'rjpbdb321');

define('DB_DATABASE', 'massnaz_pbdb');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

?>

 

 

www.portagebeverage.com

I am using this code in an htaccess file in the root

 

RewriteEngine On

RewriteCond %{SERVER_PORT} ^80$

RewriteRule ^(.*)$ https://www.portagebeverage.com/$1 [L,R]

 

The ssl certificate works fine. But I can not log into the Admin center.

If I delete the bove code form the htacess it allows me to log in.

Any suggestions?

Link to comment
Share on other sites

  • 1 month later...

I have installed my SSL cert changed the config files but the store side checkout/login pages do not go to https? I have searched and tried endless tips and tricks to fix this but I stil have the problem.

 

I can manually edit the url to https to check the page is loading o.k. so all is good there.

 

 

Can anyone give me any pointers.

 

Config files seem correct: (admin)

define('HTTP_SERVER', 'https://mydomain.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTP_CATALOG_SERVER', 'https://mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://mydomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

and

(catalog)

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://mydomain.com/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://mydomain.com/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_MAIL_DOMAIN', 'http://mydomain.com');

define('HTTP_COOKIE_DOMAIN', 'mydomain.com'); // added this may need to remove

define('HTTPS_COOKIE_DOMAIN', 'mydomain.com');

define('HTTP_COOKIE_PATH', ''); // added this may need to remove

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '');

define('DIR_WS_HTTPS_CATALOG', '');

 

I am not sure if there could be an issue with html_output or application_top??!??!

 

Please help! :(

Link to comment
Share on other sites

I have installed my SSL cert changed the config files but the store side checkout/login pages do not go to https? I have searched and tried endless tips and tricks to fix this but I stil have the problem.

 

I can manually edit the url to https to check the page is loading o.k. so all is good there.

 

 

Can anyone give me any pointers.

 

Config files seem correct: (admin)

define('HTTP_SERVER', 'https://mydomain.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTP_CATALOG_SERVER', 'https://mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://mydomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

and

(catalog)

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://mydomain.com/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://mydomain.com/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_MAIL_DOMAIN', 'http://mydomain.com');

define('HTTP_COOKIE_DOMAIN', 'mydomain.com'); // added this may need to remove

define('HTTPS_COOKIE_DOMAIN', 'mydomain.com');

define('HTTP_COOKIE_PATH', ''); // added this may need to remove

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '');

define('DIR_WS_HTTPS_CATALOG', '');

 

I am not sure if there could be an issue with html_output or application_top??!??!

 

Please help! :(

 

 

Hi I had same problem when you install Oscommerce when it comes up with the locations of your webserver change the settings to https and continue the install this should solve the problem ?

 

hope this helps

Link to comment
Share on other sites

Hi I had same problem when you install Oscommerce when it comes up with the locations of your webserver change the settings to https and continue the install this should solve the problem ?

 

hope this helps

 

Thank for the reply.

 

I installed oscommerce some time ago and I am just about to go live. I am hoping that I won't have to start with a fresh install just to get my SSL working on the checkout/login pages but thanks for the suggestion.

 

Has anyone else got any simple solutions?

Link to comment
Share on other sites

Thank for the reply.

 

I installed oscommerce some time ago and I am just about to go live. I am hoping that I won't have to start with a fresh install just to get my SSL working on the checkout/login pages but thanks for the suggestion.

 

Has anyone else got any simple solutions?

 

 

I managed to resolve my problem and thought it was worth posting.

 

I also had configure.php files in admin/includes/local/ and catalog/includes/local/ (I believe this is for development use on local servers only). I removed the LOCAL folder from my webhost server which was good enough for one site. For my second site in addition to deleting the local folder, I had to take some of the data from these config files and add them to my main config files in admin/includes/configure.php and catalog/includes/configure.php.

 

This resolved my problems with getting the SSL to work on the checkout and admin pages and also my problem where my data was being pulled from my old database.

 

I am not 100% sure that this was the correct method but there is very little information on the net regarding the config files in the local folder...

 

Hope this helps someone...

Link to comment
Share on other sites

  • 2 weeks later...

I'm having the similar problem... Did you find a fix?

 

I believe I got everything set up properly but I'm not sure if this behavior is normal:

 

Browsing the entire site normally gives me http in the address bar. Once I click the my account link to login or checkout, it changes to https. Now that's good and all but once I return back to a different link other than the login page, all the pages still stay as https, even those that were http previously. Also, removing the 's' in https, even when logged in gives me the http link of the current page I'm viewing. Is this normal?

Link to comment
Share on other sites

  • 2 weeks later...
  • 9 months later...
What is (or Isn't) SSL ?

 

SSL stands for Secure Sockets Layer. This is technology derived in part from the military that encrypts data transfers across the internet. There are several flavours of SSL but the most prevalent one today is 128 bit encryption, but watch out 256 bit encryption is on it's way !

...

...

...

Charles

 

Hello all,

 

I am currently looking for a hoster. In the case of one hoster, he can do up to 256 bit encryption. I suppose that this is more secure than 128 bit encryption. My questions:

  1. Is 256-bit encryption possible in OS-commerce, whithout having to reprogram everything myself (something I am not able to do <_< )?
  2. Or should I ask this provider for 128-bit encryption?
  3. To what extent is it reasonable that 128 is cheaper than 256?
  4. What are the advantges an disadvantages of each of these 2 choices?

 

Thanks for advising!

JJ

Link to comment
Share on other sites

  • 2 weeks later...
What is (or Isn't) SSL ?

 

SSL stands for Secure Sockets Layer. This is technology derived in part from the military that encrypts data transfers across the internet. There are several flavours of SSL but the most prevalent one today is 128 bit encryption, but watch out 256 bit encryption is on it's way !

 

For an e-trader, SSL encryption protects your customers transaction details as they are passed back and forth between their browser and your server \ domain. The data encryption happens at one end using a key and is deciphered at the other end using an equivalent key. The permutations for how data can be encrypted are astronomical making it virtually theft and interference proof during transit.

 

SSL DOES NOT PROTECT your server from attacks, nor your admin or catalog from malicious hacks. In order to protect your server and files you need to use facilities such as firewalls, virus checkers, Apache and IIS user and password protection for directories and files.

 

Why Do I Need SSL ?

 

You need SSL if you are selling to the public for two very good reasons.

 

1) Your customers expect it - As surfers become more sophisticated they look at your site and want to make sure their details will be safe should they order products. SSL seals are part - but a big part - in that re-assurance process. If the choice between two sites comes down to which offers transaction security - do you want to be the site that misses out ?

 

2) Even if you have unsophisticated customers who do not look for SSL encryption before they buy - if the data they send you is intercepted and misused - you could land up being in heavy lawsuits for amongst many other things negligence. This is a small possibility - but do you want to take the risk ?

 

How Does SSL Work With OsCommerce ?

 

The workings of SSL with osCommerce are quite straightforward.

Once your SSL is installed - see sections below, you set the configuration paths for https:// in catalog/includes/configure.php and admin/includes/configure.php, enable SSL and the code takes care of the rest.

 

If you look through the code you will see example after example of statements that refer to SSL where osC is making a decision based on request type as to whether to display the secured or non secured pages.

 

In short neither you nor your customers has to type in https:// into the address line to get to secure pages. osCommerce will identify from the configuration if SSL is installed and direct browsers to the correct page depending on what the browser is doing on your site.

 

How Do I Get SSL ?

 

1) Surf and find a Certificate issuer you feel happy with where you buy your SSL cerificate for a period of time 1 year, 2 year etc etc)

 

Things to look out for are

 

a) They own or have a trusted root in most browsers.

 

All browsers come pre-installed with so called Trusted roots.

 

These prevent Joe Shmoe and his cousin Joe Bloggs from issuing worthless certificates that cannot do the encrypting to unsuspecting buyers.

 

To see trusted roots if you use IE go to Internet Options under tools and select the content tab where you will see in the middle section all the trusted root certs installed on IE and their issuers.

 

b ) If they don't have a trusted root in most browsers make sure they have a cert known as a chaining cert that links whatever they sell to you with a trusted root.

 

What is the difference -

 

Trusted root sellers are EXPENSIVE and very well recognised brands.

 

Chaining certs are affordable - They are still 128 bit encryption hence no less secure - but the brands are less well known.

 

2) Get your host to raise a CSR (Certificate Signing request) - To do this the host will need certain information from you, especially if they are not also your registrar. Such info will be your domains registered admistrator. This info will be required by the SSL issuer. Along with the CSR they also generate a key that will be used to encrypt and decipher data transmissions from your server \ domain. -

 

Things to look out for are

 

Your certificate will encrypt data in a very precise way - if the cert is issued to www.yourdomain.com it will NOT encrypt transfers between yourdomain.com and browsers and vice versa.

 

So make sure you instruct your host to get the CSR raised with the correct AND full name of the domain you want to be encrypted.

 

I normally use the domain name without the www. qualifier because servers for a number of reasons can strip the www. off, but I have yet to see a server add it on without a deliberate redirect.

 

3) Send the CSR to your cert issuer who will vet the details and write to the administrator noted when the CSR was raised.

 

4) Assuming you are the administrator of your domain - you will have to acknowledge the mail from the issuer and OK the SSL.

 

5) The issuer will raise a SSL cert and send it to you. If you are using a chaining issuer they will also send a chain certificate.

 

6) Send these to your host who will install as follows :

a) The SSL cert will be installed in a directory on your server along with the chaining certificate if applicable.

b ) They will also instal the key they generated in step 2 above.

c) They will then add certain statements known as directives to your Apache configure files. These tell Apache that the site has SSL encryption certification.

 

Making SSL Work With The Catalog and Admin

 

In order to make SSL work with osCommerce you need to set the correct configuration paths in

 

a) catalog/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://yourdomain.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

b ) admin/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

* Note the assumptions above - The certificate was issued WITHOUT the www. qualifier and this shop is installed in Catalog directory ONE level below root.

 

In normal working - these changes above will result in a small padlock being shown in the bottom right of your browser status bar when you navigate to a secure page AND your address line will show the https:// URL instead of http://

 

Trouble Shooting

 

1) Security Alert

 

The alert box says info you exchange with this site cannot be viewed or changed by others. However there is a problem with the sites security certificate.

 

The box has 3 levels of alert

 

a) The certificate is from a trusted certifying authority - Green tick for good or Red cross for bad will show

b ) The security certificate date is valid - Green tick for good or Red cross for bad will show

c) The name on the security certificate is invalid or does not match the name of the site - Green tick for good or Red cross for bad will show

 

If the problem is a) then you need to take account of How Do I Get SSL point 1 above !

If the problem is B ) you need to extend the certificates validity - refer to the issuer.

If the problem is c) Your certificate has probably been issued with or without the www. and you have used the other spellng in your configure files. Make sure the cert name as issued is used in the configure.php files. (See How Do I Get SSL point 2 above)

 

2) This page has both secure and insecure items

 

This alert appears if the secured page the browser is trying to show has objects or references that point to non secured domains.

 

So for instance if you had a graphical image of credit cards as processed by your gateway and say you were hotlinking to the images with a piece of code such as <img src="http://mycreditcardprocessor.com.....> That image is not on your encrypted domain hence the alert would show.

 

Often this problem will appear from one or more of three sources

 

a) Where you are hotlinking images for your products from the wholesalers server

b ) objects in your footer

c) objects in your boxes in the columns

 

3) Page 404 (unavailable)

 

If you set your site up and during instal you choose SSL security WITHOUT having done the stuff in here you may get 404's when you try to access secured pages.

 

Wrapping Up

 

1) Self issued certificates

 

Some people have dedicated servers and even on some shared server you can raise a self issued SSL certification. This does everything as above except the certificate root does not exist in browsers. Therefore your site may be secure (although I do not profess to know if self certificates offer 128 bit encryption), BUT your site visitors will ALWAYS get the alert in Trouble Shooting point 1.

 

Even though the alert says the site is safe, this is perhaps worse than not having a certificate as it alerts people to the fact that there is a problem with the certificate - and people do not like problems !!!

 

2) Shared SSL certificates

 

Talk to your host for the path you need to apply in your configure.php paths

 

Charles

 

 

thanks Charles. that is very thorough and im good at following directions but the problem im having is that when i go to alter the code to provision the changes for SSL, i have to set file permissions from 444 in Filezilla. once i do that i get the error message on my site. "Warning, I am able to write to the configuration file......" I cant get rid of that pink bar nor can i change my file permissions back to 444. what do you think? thank you for any assistance.

Link to comment
Share on other sites

  • 1 month later...

Hi,

 

I am wondering if somebody could tell me if the following setup would work or create any problems:

 

I have several domains for which I plan to host a few different oscommerce instances. They will all be originating

from the same ip and same box, so for http traffic I will be using apache virtual hosts.

 

Now for https I plan to buy a certificate for one of my domains, lets call it "secure-checkout.com"

 

So each domain will have 1 website/catalog assigned through http,

 

domain1.com -> /catalog1

domain2.com -> /catalog2

domain3.com -> /catalog3

 

 

Now when users from each website access a https area I plan on redirecting them to "secure-checkout.com" for which I will

have a certificate.

 

Since all my catalogs are on the same box then the below setup will also work

secure-checkout.com/catalog1

secure-checkout.com/catalog2

secure-checkout.com/catalog3

 

Now here is my question, in the configuration if i set all my https traffic to secure-checkout.com but keep my http traffic

to individual domains will this create any problems?

 

Example

 

 

 

http://domain1.com/catalog1 => https://secure-checkout.com/catalog1

http://domain2.com/catalog2 => https://secure-checkout.com/catalog2

http://domain3.com/catalog3 => https://secure-checkout.com/catalog3

 

 

Any comments or thoughts would be very appreciated, thanx guys

Link to comment
Share on other sites

I got a question, I have everything else setup in the configure.php like is described below except for the following:

 

define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

I don't have the site setup in a catalog folder, it is installed directly in the public_html folder. Does that make a difference and do I need to change "catalog" to something else like root directory or public_html?

 

Thanks

 

Joe

Link to comment
Share on other sites

Probably need to use:

 

define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

We recently got the SSL installed on one of our website : www.bongsnbongs.com

 

but we keep on getting the error that the site contains both secure and insecure links after I click on any product which comes in HTTPS url as there are some HTTP links also .

 

I recently checked another good Oscommerce website http://www.mrgadget.com.au/catalog/

and for SSL which comes after Checkout it goes to

 

https://secure.mrgadget.com.au

 

Also NOTE that the error for secure and insecure links do not come even in IE although the links on this website have both HTTP and HTTPS .

 

My Query is :

1) they have the SSL to "secure.mrgadget.com.au" and not to "www.mrgadget.com.au" . Is it better to have the SSL like thi instaed of the complete URL

2) Why this website do not have secure and insecure prompt though if you check the source it has both HTTP and HTTPS links

3) How to enable SSL only on CHECKOUT

4) How is it possible that they have all the product and category links to HTTP even if they are in HTTPS domain

 

Any inputs from you is appreiciated

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...