Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Simplyeasier

The SSL In OsCommerce Guide For The Innocent

Recommended Posts

Hi, I made a post a little while back. I got my SSL working great in my catalog. But I have a problem with ssl in my admin directory. Something is not configured correctly in my admin files.

 

I can log into my admin dir using https://mysite.com/admin. But once i click on a link, say 'configuration', it goes to http://mysite.com/admin/configuration.php...

 

Does anyone know, really know, what files need to be edited and how in the admin section?? This would really help since my store will launch soon and dont want my customer's credit card info being transfered un-encrypted....

 

Thank you very much in advance.

 

Chris :thumbsup:

 

Can anyone offer an answer?????? Someone has got to know, and it cant be that hard.... :D

 

Chris

Share this post


Link to post
Share on other sites
Can anyone offer an answer?????? Someone has got to know, and it cant be that hard.... :D

 

Chris

 

Make sure you are using "HTTPS" as the URL type for the "HTTP_SERVER" config parameter in admin/includes/configure.php! :thumbsup:


osCommerce MS2

SPPC incl. Specials By Category, Prices By Category

Vendors, Easy Populate, UPS XML, USPS Methods

Share this post


Link to post
Share on other sites

I am completely ripping my hair out on this very confusing all I get is 404 page not found when I try to

 

in my server Os it gives me

CONGRATULATIONS!

 

Your domain has been set up to use our generic SSL Certificate. To get to the "secure" area of your site, go to

 

 

https://www.securewebexchange.com/airsoftkelowna.com

 

 

Place any files you need to use over SSL in the "/secure" and "/secure-cgi-bin" directories that have been created for you in your home directory.

 

I have the oscommerce installed airsoftkelowna.com/catalog

 

I am completely bewildered

 

here is what I have for includes configure.php

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.airsoftkelowna.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.securewebexchange.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.airsoftkelowna.com');

define('HTTPS_COOKIE_DOMAIN', 'https://www.securewebexchange.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/airsoftkelowna.com/');


people please fill out your info ... I like to see the sites and it helps everyone help you greatly

Share this post


Link to post
Share on other sites

do physically hafta move certain files?

 

sorry for being a n00b


people please fill out your info ... I like to see the sites and it helps everyone help you greatly

Share this post


Link to post
Share on other sites

so I copied the files form the catalog root to 'https://www.securewebexchange.com/airsoftkelowna.com/secure

and now I am getting just a blank page no 404 error

and I do get the little lock but thats it

 

any help would be greatly appreciated


people please fill out your info ... I like to see the sites and it helps everyone help you greatly

Share this post


Link to post
Share on other sites

I tryed that little env.php thingy but it will only run from /secure directory otehr wise not found so I have screwed something somewhere

I also deleted the files outta secure as I have been reading and it seems I shouldn't have to move any files

 

I would really like some tips or help on this as I am gonna have a heart attack soon :/

 

sorry for being so dramatic

just very frustrating


people please fill out your info ... I like to see the sites and it helps everyone help you greatly

Share this post


Link to post
Share on other sites

Dimit, you shouldnt have to move any files. I dont understand your exact situation. Do you own the domain airsoftkelowna.com? And are sharing a server or somehting? I dont get it. But try using only one domain.

 

Make your configure.php look like this, maybe it will work

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.securewebexchange.com/airsoftkelowna.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.securewebexchange.com/airsoftkelowna.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', www.securewebexchange.com/airsoftkelowna.com');
define('HTTPS_COOKIE_DOMAIN', 'https://www.securewebexchange.com/airsoftkelowna.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/airsoftkelowna.com/catalog');

 

Or try usig only one domain at a time. try that for both domains.

 

 

DOES ANYONE KNOW HOW TO MAKE THE ADMIN SSL WORK? :D

PLEEEEEEEEEEEEEEEEAAAAAAAAAAAAASSSSEEEEE!!!

 

Chris

Share this post


Link to post
Share on other sites

that didnt seem to work yes I own domain airsoftkelowna.com

 

I don't know what else you would like me to include to give more insight into my problem other than my mental record :/


people please fill out your info ... I like to see the sites and it helps everyone help you greatly

Share this post


Link to post
Share on other sites

Hi,

 

I have used Fantastico to install osCommerce on my host. The system is installed under catalog directory (e.g. http://myhost.com/catalog). The problem is when I try to access a page under HTTPS (e.g. login.php) -- I get a page not found error. I have generated my own certificates on my host, pointing to "myhost.com". How should I setup the paths in those files correctly? Any ideas how to make all this work?

 

Thanks,

Jerry

Share this post


Link to post
Share on other sites
Hi,

 

I have used Fantastico to install osCommerce on my host. The system is installed under catalog directory (e.g. http://myhost.com/catalog). The problem is when I try to access a page under HTTPS (e.g. login.php) -- I get a page not found error. I have generated my own certificates on my host, pointing to "myhost.com". How should I setup the paths in those files correctly? Any ideas how to make all this work?

 

Thanks,

Jerry

 

I hope this answers your question...

I posted this a little whiles back.

 

I have a bit of info that may be useful to some.

There are 3 files that I had to edit in order for my SSL to work properly. So far (and i may be mistaken), I have only seen 2 main files being mentioned. (and of course catalog/includes/application_top.php for checking if ur server settings match the ur code.)

Here are the files I had to edit:
1. admin/includes/configure.php
2. catalog/includes/configure.php
3. catalog/includes/local/configure.php

Once I editted all three of them, it worked flawlessly.

My Conficuration:
Godaddy certificate.
Hosted with Hostexcellence.com
osCommerce 2.2

 

And follow the info given on the first couple posts of this thread for instructions on how to edit the files.

 

Chris

Share this post


Link to post
Share on other sites

 

Thanks, I have tried everything i could find on this thread.

 

Mostly, people seemed to have solved the no admin ssl problem by changing the admin/configure.php file as ffollow:

change the top http server ssetting
define('HTTP_SERVER', 'http://www.mysite.com');
to
define('HTTP_SERVER', 'https://mysite.com');

 

Sadly, this didn't work for me.

 

I tried all types of different configurations too in the config file for admin. nothing works.

 

I even tried the getenv tests that AlanR posted and my server does respond to 'on' so i have no need to change my code in application_top.php.

 

I am still at a loss and have no clue how to simply get the admin ssl working correctly.

 

I followed the instructions on the first post over and over, looking for errors. Obviously that post is good but incomplete in its claims. At least for me...

 

Still looking for a help!

 

here is my admin/configure.php

  define('HTTP_SERVER', 'http://www.mysite.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
 define('HTTP_CATALOG_SERVER', 'http://www.mysite.com');
 define('HTTPS_CATALOG_SERVER', 'https://mysite.com');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
 define('DIR_WS_ADMIN', '/admin/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
 define('DIR_WS_CATALOG', '/catalog/');
 define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
 define('DIR_WS_IMAGES', 'images/');

 

Chris

Share this post


Link to post
Share on other sites

I wanted to add another tip. This is mostly for people using DreamHost with their own secure domain (as in shared hosting with your own ssl), but the idea might work for someone else, too.

 

I had secure.mydomain.com as the https domain for mydomain.com . I tried every config tip I could find and nothing worked. Every time I clicked on a secure link I would get "No input file specified". DreamHost was no help when I asked their tech support, either.

 

Now, when you set up a new domain (or subdomain) with Dreamhost they create a new directory in your home with the name of the domain or sub domain. After the directory has been created in your home, delete it...that's right delete the directory that was just created with the name you are going to use for a secure (https) domain. Then create a softlink called "secure.yourdomain.com" (or whatever the name of your secure domain is) that points to the folder "yourdomain.com" (the folder with all your osCommerce files). Then just follow the instructions all over the place for making sure your configuration file is correct. If you don't know how to create a symbolic link do a google search for "create symlink linux" and you should find the help you need.

 

I have no idea about what impact this has on security, I just know it works.

Share this post


Link to post
Share on other sites

A note to posters who are requesting help in this thread:

 

Please read the sticky at the top of the Tricks & Tips Forum:

 

http://forums.oscommerce.com/index.php?showtopic=30722

About this forum

 

1. This is not a support forum. Do not ask questions here.

2. Do not ask for tips or tricks to be posted.

 

There's a couple logical reasons for these rules.

 

1) People are not casually watching this forum for help requests.

2) Every post which is not a tip or trick but rather a request for help makes the thread itself less useful for future readers, they'll have to wade through all the muck to find the useful posts.

 

Questions and requests for help belong either in General Support or Installation and Configuration. I try not to answer questions in this forum unless they directly relate to something I've posted.

 

OK, enough lecturing...

=======================================

 

I recently received a question about the session id appearing in the address bar when a user is in the secure areas using shared ssl.

 

The session ID shows for the first product, then goes away. Then the session reappears in the URL for secure pages and remains on them. Goes away after I surf to regular pages. I'm assuming this is https cookie in my config file, but I've tried a bunch of things.

 

That's exactly the way it works for anyone using a shared ssl setup. The browser can not read a cookie issued by a different domain, this is basic internet security. (There was a bug in an early version of Windows IE which could be exploited to fool the browser if a site carefully set for the exploit, knowing the targets, it's since been fixed.)

 

So when your browser switches to secure.somehost.com/your_user_id the browser is looking at secure.somehost.com, it's not permitted to read cookies set for yourdomain.com and shouldn't even acknowledge that such a cookie exists. Therefore osC puts the session id in the url while you're in secure sections. It is the same for everyone and it's the reason why force cookie use always fails on setups using shared ssl, people always get the cookie usage page and ask why.

 

I don't think it's a big deal, the risk is small since it's only in the secure areas that the session id appears and there's very little chance a search engine could find an https address with the session id info. Search engines don't scan https addresses.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

Regarding the infamous message of "some items on this page are not secure...etc", and subsequently not getting the much desired padlock icon....

 

Thought I'd share my specifc problem in the event it might help someone else.

 

When you embed a flash animation you end up with a couple lines similar to:

codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"

-and-

pluginspage="http://www.macromedia.com/go/getflashplayer"

 

I'd been stumped because despite the fact that everything on my site was local to the site and referenced with relative paths (including my swf flash animations), etc, I was still getting the warning that "some items on this page are not secure...".

 

Turns out those two lines listed above are enough to cause that problem. By changing each one to "https" my pages passed the security checks and I got my beloved padlock.

 

So, instead of the above lines you would need:

codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"

-and-

pluginspage="https://www.macromedia.com/go/getflashplayer"

 

Again, hope this additional check can help some other stumped coder some time.....

Share this post


Link to post
Share on other sites
Regarding the infamous message of "some items on this page are not secure...etc", and subsequently not getting the much desired padlock icon....

 

When you embed a flash animation you end up with a couple lines similar to:

codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"

-and-

pluginspage="http://www.macromedia.com/go/getflashplayer"

 

I'd been stumped because despite the fact that everything on my site was local to the site and referenced with relative paths (including my swf flash animations), etc, I was still getting the warning that "some items on this page are not secure...".

 

So, instead of the above lines you would need:

codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"

-and-

pluginspage="https://www.macromedia.com/go/getflashplayer"

 

Again, hope this additional check can help some other stumped coder some time.....

:shifty:

 

There's an even simpler solution. Make those Flash/Macromedia links like so:

 

codebase="//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"

-and-

pluginspage="//www.macromedia.com/go/getflashplayer"

 

Leave out the http or the https completely. When the browser switches modes the urls will switch with it


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

I have SSL working on my site , but when i log-in to Admin , the first screen informs that me that "You are not protected by a secure SSL connection" (Bottom left) and displays a small un-locked padlock image.

 

 

I do have SSL and it works on the site with no problems.

 

The site was installed with fantastico and i chose the SSL option = "yes"

 

 

What steps do i have to take to cure this ?

Share this post


Link to post
Share on other sites
I have SSL working on my site , but when i log-in to Admin , the first screen informs that me that "You are not protected by a secure SSL connection" (Bottom left) and displays a small un-locked padlock image.

I do have SSL and it works on the site with no problems.

 

The site was installed with fantastico and i chose the SSL option = "yes"

What steps do i have to take to cure this ?

 

 

I have this exact same problem, any help would be appreciated.

Share this post


Link to post
Share on other sites
I have SSL working on my site , but when i log-in to Admin , the first screen informs that me that "You are not protected by a secure SSL connection" (Bottom left) and displays a small un-locked padlock image.

I do have SSL and it works on the site with no problems.

 

The site was installed with fantastico and i chose the SSL option = "yes"

What steps do i have to take to cure this ?

 

The reason for that is very simple.

 

Here's the code from /catalog/admin/index.php which flips that little padlock and its associated message on or off.

 

if (getenv('HTTPS') == 'on') {
$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');
$contents[] = array('params' => 'class="infoBox"',
					'text' => tep_image(DIR_WS_ICONS . 'locked.gif', ICON_LOCKED, '', '', 'align="right"') . sprintf(BOX_CONNECTION_PROTECTED, $size));
 } else {
$contents[] = array('params' => 'class="infoBox"',
					'text' => tep_image(DIR_WS_ICONS . 'unlocked.gif', ICON_UNLOCKED, '', '', 'align="right"') . BOX_CONNECTION_UNPROTECTED);
 }

 

You may need to change the (getenv('HTTPS') == 'on') part if you've changed it before to get ssl working. As to the wording of the message, I've yet to use a server which actually returns anything for (getenv('SSL_CIPHER_ALGKEYSIZE') so the message will be the one that BOX_CONNECTION_UNKNOWN points to in your language file.

 

By playing with those lines and your language file you can get any result you wish.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

I accomplished this:

 

RC4.gif

 

on a dedicated ssl which requires (getenv('HTTPS') == '1') and changing the definition of BOX_CONNECTION_UNKNOWN in admin/languages/index.php


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

mysite is www.mylarimar.com

The osc site seperately works in both secure and nonsecure mode.

THe problem is there is a totally seperate session created on the secure server, so session info (shopping cart contents) is not passed over.

i am using cookies both environments are setting their own cookies. i guess i could hack this and force it to create a cookie with the ssl server info, but it seem like there should be a better way of doing this.

 

here are my config settings:

define('HTTP_SERVER', 'http://www.mylarimar.com');

define('HTTPS_SERVER', 'https://mylarimar.securewebsite.net');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

BTW if i add the cookie_domain lines no cookies are written at all and each click generates a new session id.

 

Ok well, thanks for any help.

 

Mike

 

ps sorry for the double post if anyone is keeping track. i did not get any good answers when i started a new topic. cheers

Share this post


Link to post
Share on other sites

Hi

 

I have Osc installed and running , the problem i have is the admin area.

 

if i log into admin via HTTPS , i get the the secure padlock symbol on the first page of the admin section. When i go into any admin section past the first screen the HTTPS disapperears.

 

How do i configure the admin to be secure throughout and use HTTPS ?

Share this post


Link to post
Share on other sites

I think its only the checkout that uses SSL, not the admin area.

Besides, if you have a good password you should not need it.


You Can Win, But I Can't Lose.

 

James

Share this post


Link to post
Share on other sites

My SSL works fine in the catalog area , but not in ADMIN ??

 

I've read this thread , searched , posted , but had no joy yet.

 

I've run the script posted by alanR , the mynev one , ran it on the https and http and eventually got the result of "443" , so i put that in catalog/includes/application_top.php ..... checked all the other files mentioned, but no joy in scuring the admin area.

 

I log into admin on HTTPS , get the padlock and the "you are protected by an unknown .....blah , blah" then when i enter any admin section other than the first screen i'm back to non-secure ????

 

 

any help

Share this post


Link to post
Share on other sites
I think its only the checkout that uses SSL, not the admin area.

Besides, if you have a good password you should not need it.

 

 

No , admin area can use it , thanks anyway

Share this post


Link to post
Share on other sites

×