Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL missing in admin


mondos

Recommended Posts

Hi people!

 

I have installed ssl for catalog and for admin, and it is enabled in the configurations files, but in the admin section it happens as follows:

 

- In the main page of admin I have the "You are protected by a unknown secure SSL connection", so everything seems to work well, BUT

- when I click in any link I go always to a non ssl page

 

What is happening? I have SSL set to true in configure.php but it looks like the pages in the admin section don't "take" the https header or something like that.

 

My store is online and working and it is very important for me to have the security enabled.

 

Please can someone help me with this?

 

thanx thanx thanx

 

mondos

Link to comment
Share on other sites

  • Replies 67
  • Created
  • Last Reply
  • 1 year later...

Surely there must be a better way to solve the problem?

I have just encountered the same issue and would love to see a better solution than to modify the source code for something as routine as SSL.

Link to comment
Share on other sites

OKay, I fixed it by changing the HTTP server (not HTTPS) to https://myserver.com.

That secures the whole admin folder.

DOn't know if that's the smoothest solution, but other posts seems to indicate such is the case. If i'm wrong, somebody let me know. :)

Link to comment
Share on other sites

  • 7 months later...
OKay, I fixed it by changing the HTTP server (not HTTPS) to https://myserver.com.

That secures the whole admin folder.

DOn't know if that's the smoothest solution, but other posts seems to indicate such is the case.  If i'm wrong, somebody let me know. :)

2.2 MS2 Installed from Plesk 7.5.1

 

I tried this and all links are now secure but I now get this error when I click on "Catagories/Products":

 

Warning: is_dir(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/categories.php on line 326

 

Error Error: Catalog images directory does not exist: /home/httpd/vhosts/mydomain.com/httpdocs/shop/images/

 

And just under the "Categories / Products" heading I get this:

 

Warning: file_exists(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/travelcarr.gif) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/includes/functions/general.php on line 230

 

Has anyone experienced this? Any ideas on a fix?

Webz -------> @(-_-)@

Link to comment
Share on other sites

I am also having this problem, i saw below that someone said that they fixed it by fixing the link code in the admin/includes/functions/html_ouput.php , but there wasn't anymore info besides that. I want to have the admin area linked via https, and when i got to https://mysite.ssl.simplenet.com/admin/ the other links on the admin page are not linked via https, the are linked via http:

 

 

Can anyone provide some detailed instructions on how to fix this problem.

Thanks...

Link to comment
Share on other sites

i fixed the problem withe the following changes.

 

 

in admin/includes/local/configure.php

 

change

define('HTTP_SERVER', 'http://www.host.com');

to

define('HTTP_SERVER', 'https://www.host.com');

define('HTTPS_SERVER', 'https://www.host.com');

 

change

define('ENABLE_SSL', 0);

to

define('ENABLE_SSL', 1);

 

 

in admin/includes/configure.php

 

change

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

to

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

 

in catalog/includes/local/configure.php

 

change

define('HTTP_SERVER', 'http://www.host.com');

to

define('HTTP_SERVER', 'https://www.host.com');

define('HTTPS_SERVER', 'https://www.host.com');

 

change

define('ENABLE_SSL', 0);

to

define('ENABLE_SSL', 1);

 

 

in catalog/includes/configure.php

 

change

define('ENABLE_SSL', false); // secure webserver for checkout procedure?

to

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

 

 

hope this may help

Link to comment
Share on other sites

Hi people!

I have installed ssl for catalog and for admin, and it is enabled in the configurations files, but in the admin section it happens as follows:

- In the main page of admin I have the "You are protected by a unknown secure SSL connection", so everything seems to work well, BUT

- when I click in any link I go always to a non ssl page

What is happening? I have SSL set to true in configure.php but it looks like the pages in the admin section don't "take" the https header or something like that.

My store is online and working and it is very important for me to have the security enabled.

Please can someone help me with this?

thanx thanx thanx

mondos

 

As others have pointed out, the problem is partially in the tep_href_link() function in admin/includes/functions/html_ouput.php

 

Specificly, it takes 3 arguments, but many places in the code only provide 2. The 3rd argument ($connection) can be unset, or have the vales "SSL" or "NONSSL" and, as you'd expect, control the type of link generated. All well and good, except if an argument isn't specified, the function *defaults* to "NONSSL". *That* is what is causing the problem on the admin page. The main admin links all call this function with no third argument, so it defaults to generating unsecure links. I've fixed my copy with the following change that I hope the devs will see, and incorporate.

 

bash-2.03$ diff html_output.php html_output.php-FIXED
15c15,19
<   function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {
---
>
> // Original:
> //function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {
> // Fixed: -JMM
>   function tep_href_link($page = '', $parameters = '', $connection = 'UNSET') {
18a23,32
>
> // Begin modified code -JMM
>     if ($connection == 'UNSET') {
>        if (getenv('HTTPS') == 'on')  { // We are loading an SSL page
>           $connection = 'SSL';
>        } else {
>           $connection = 'NONSSL';
>        }
>     }

 

Thsi changes the default behavior, when no argument is passed, to be "whatever I was doing when I was called". This seems the most sane choice, while maintaining the coder's ability to "over-ride" that default explicitly.

 

Which brings me to the next problem. "NOSSL" is handed in as an argument in a bunch of places. These palces include the links down the left hand side of the various admin pages. All except "Tools". The problem here is that a store owner, going to their secured admin pages, will "fall out" of SSL by clicking on any of those left hand links even after my suggested above fix BECAUSE THE DEVS EXPLICITLY PASS "NONSSL" as an argument to the tep_href_link() function. I'm tempted to remove that for all of those admin links, since I can think of no reason to force those to be NONSSL, but I don't want to break something. Can someone please tell me why those were explicitly required to not be secure links?

 

For anyone else who wishes to fix this on their own sites, without throwing the whole store permanently under SSL, here are the files I've found that use the NONSSL token. All of these should be examined, and in conjunction with my fix above, removed if you want to keep the secure/non-secure status of which ever page you are currently on.

 

bash-2.03$ textsearch NONSSL | cut -f1 -d: | sort | uniq -c
  1 ./admin/cache.php
  1 ./admin/categories.php
  6 ./admin/includes/boxes/catalog.php
  1 ./admin/includes/boxes/configuration.php
  2 ./admin/includes/boxes/customers.php
  3 ./admin/includes/boxes/localization.php
  3 ./admin/includes/boxes/modules.php
  3 ./admin/includes/boxes/reports.php
  5 ./admin/includes/boxes/taxes.php
  2 ./admin/includes/classes/split_page_results.php
  7 ./admin/includes/functions/html_output.php
  3 ./admin/includes/header.php
 15 ./admin/products_attributes.php
  1 ./admin/reviews.php
  4 ./admin/specials.php
  2 ./admin/stats_customers.php
  2 ./admin/stats_products_purchased.php
  2 ./admin/stats_products_viewed.php
  1 ./admin/whos_online.php
  1 ./advanced_search.php
  3 ./advanced_search_result.php
  4 ./includes/application_top.php
  1 ./includes/boxes/manufacturers.php
  1 ./includes/boxes/search.php
  1 ./includes/boxes/tell_a_friend.php
  1 ./includes/functions/general.php
  4 ./includes/functions/html_output.php
  1 ./includes/modules/payment/psigate.php
  1 ./product_info.php
bash-2.03$

Link to comment
Share on other sites

Leslie - you have the right idea with the 'admin' folder, but you should not do the same with the 'catalog' folder. Putting all of your storefront behind ssl will slow down your whole site - as all pages have to be encrypted before being served up to the customer.

 

Jesse - I appreciate the time and trouble you went to on this problem - but the simplest fix is the best for newcomers to osCommerce. In admin/includes/configure.php change http://www.yourdomain.com to https://www.yourdomain.com. All sub-folders and pages in the 'admin' section are then run under ssl.

 

Vger

Link to comment
Share on other sites

  • 3 weeks later...

It worked for me by just changing the followingin admin/local/config.php:

 

change

define('HTTP_SERVER', 'http://www.host.com');

to

define('HTTP_SERVER', 'https://www.host.com');

 

 

i fixed the problem withe the following changes.

in admin/includes/local/configure.php

 

change

  define('HTTP_SERVER', 'http://www.host.com');

to

  define('HTTP_SERVER', 'https://www.host.com');

  define('HTTPS_SERVER', 'https://www.host.com');

 

change

  define('ENABLE_SSL', 0);

to

  define('ENABLE_SSL', 1);

in admin/includes/configure.php

 

change

  define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

to

  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

in catalog/includes/local/configure.php

 

change

  define('HTTP_SERVER', 'http://www.host.com');

to

  define('HTTP_SERVER', 'https://www.host.com');

  define('HTTPS_SERVER', 'https://www.host.com');

 

change

  define('ENABLE_SSL', 0);

to

  define('ENABLE_SSL', 1);

in catalog/includes/configure.php

 

change

  define('ENABLE_SSL', false); // secure webserver for checkout procedure?

to

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

hope this may help

Link to comment
Share on other sites

Hi people!

I have installed ssl for catalog and for admin, and it is enabled in the configurations files, but in the admin section it happens as follows:

- In the main page of admin I have the "You are protected by a unknown secure SSL connection", so everything seems to work well, BUT

- when I click in any link I go always to a non ssl page

What is happening? I have SSL set to true in configure.php but it looks like the pages in the admin section don't "take" the https header or something like that.

My store is online and working and it is very important for me to have the security enabled.

Please can someone help me with this?

thanx thanx thanx

mondos

 

I think you need to check your https settings in the /admin/config file

Link to comment
Share on other sites

we need to have an understanding of what is what, the file is configure.php and it is located in the respective 'includes' directory.

the 'local' directory is for developing locally on your computer so you can do a full test of everything localy prior to sending to the internet without having to change your includes/configure.php files (just have to make sure you dont send the local/configure.php to the net)

Link to comment
Share on other sites

This is just a small issue...but...

 

I know my admin side is secure even though the lower left hand side of the main administration page still says it is not secure, even though I know it is due to change in configure.php and I am able to see padlock......

 

...but is this just a flaw, or is it possible to get osC main administration page to actually 'lock' the padlock and say it is protected?

 

temp1.jpg

Link to comment
Share on other sites

It worked for me by just changing the following in admin/local/config.php:

 

change

  define('HTTP_SERVER', 'http://www.host.com');

to

  define('HTTP_SERVER', 'https://www.host.com');

 

That seemed to work for me too, i don't mind having all my admin activities under SSL.

 

BUT: In the catalog pages, the images are not displayed any more.

 

N.B. I am using a ssl proxy with a SSL adress like "ssl.provider.com/catalog//mydomain" which is the SSL equivalent to "www.mydomain.com"

 

The catalog images get adresses "ssl.provider.com/images/myimage.jpg" ( the "mydomain" went just into the nirvanah. :( )

When in try to fiddle with the setting in define('DIR_FS_CATALOG_IMAGES',by adding "mydomain" i just get "image not available".

 

Has anyone got the same symptoms and even got a cure?

 

Thank you!

 

Michel

Link to comment
Share on other sites

ssl.provider.com/catalog//mydomain

 

Well, there's two slashes in there to start with.  Make sure that your https server address is https://ssl.provider.com/yourdomain, and then your https path to catalog is /catalog/  Leave the https cookie domain blank.

 

Vger

 

Oh sorry, the double // was a typo.

 

i will try your hint with nothing as cookie server

 

Thanks

Link to comment
Share on other sites

2.2 MS2 Installed from Plesk 7.5.1

 

I tried this and all links are now secure but I now get this error when I click on "Catagories/Products":

 

Warning: is_dir(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/categories.php on line 326

 

Error Error: Catalog images directory does not exist: /home/httpd/vhosts/mydomain.com/httpdocs/shop/images/

 

And just under the "Categories / Products" heading I get this:

 

Warning: file_exists(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/travelcarr.gif) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/includes/functions/general.php on line 230

 

Has anyone experienced this?  Any ideas on a fix?

 

I have the same issue. Unfortunately the default settings - at least in my Plesk setup - serve HTTP and HTTPS docs from 2 different directories. (httpdocs & httpsdocs). I can't see a solution except to change the value for the http server in the config files as suggested here. I'd love to hear a better one though...

Link to comment
Share on other sites

I've recently pruchased an SSL for my website, but after a week of ploughing through the OsC help files can't find anything that tells me actually what to do with it!

 

Can anyone kindly point me to any resources that take me step by step through the process of integrating an SSL into OsC. I need the Checkout secured, where people are going to be using credit & debit cards.

 

Thanks.

 

Mike :D

Link to comment
Share on other sites

Can anyone kindly point me to any resources that take me step by step through the process of integrating an SSL into OsC. I need the Checkout secured, where people are going to be using credit & debit cards.

 

You should check that with your provider, he will give you the instructions to install the certificate. Once installed you just have to adapt the configure.PHP files and fill in the HTTPS domain (which should be the same than your HTTP domain, and set SSL to "true"

 

Enjoy it, it is surely much easier than using shared SLL.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...