Suspected configure.php incorrectly set up

[grandpaj 25]

Hi

 

I have recently transferred my site (grandpas.co.nz)which was in a sub directory and everything was working perfectly to public_html where eveything does not work perfectly. There is probably somewhere in the forum a thread for this problem, however Im unable to find it.

ie;

When I try to add products to the Featured products module. I continually get asked to log in

same with, Database Check..and oithers

 

I am thinking it must be something to do with the way the configre.php file is set up. Heres my catalog config

 define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'www.grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/~grandp/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

And heres my admin (name has been changed)

define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'http://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'www.grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/~grandp');
  define('HTTP_CATALOG_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_CATALOG_SERVER', 'http://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL_CATALOG', 'false');
  define('DIR_FS_DOCUMENT_ROOT', '/home/grandp/public_html/');
  define('DIR_WS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_WS_HTTPS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_FS_ADMIN', '/home/grandp/public_html/ADMIN/');
  define('DIR_WS_CATALOG', '/~grandp/');
  define('DIR_WS_HTTPS_CATALOG', '/~grandp/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

I have been trying for sometime to get this to work

 

Cache is   /home/grandp/public_html/includes/work/

 

Not sure what else I can do. But I guess there must be a simple explanation. You will also see we (at the moment) are on a shared SSL.

 

Any help to sort this frustrating problem would be much appreciated.

 

Cheers

Grandpa

[♥Tsimi 525]

@@grandpaj

 

You're saying that with the exact same config settings, besides removing the sub-folder name, it worked?

Did you try to change things a bit? This is gonna be some sort of trial and error thing especially since you have a shared SSL.

Let's try these once. Just backup your original files just in case.

  define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz/~grandp');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

and this

  define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz/~grandp');
  define('HTTP_COOKIE_PATH', '/ADMIN');
  define('HTTPS_COOKIE_PATH', '/ADMIN');
  define('HTTP_CATALOG_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_CATALOG_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL_CATALOG', 'true');
  define('DIR_FS_DOCUMENT_ROOT', '/home/grandp/public_html/');
  define('DIR_WS_ADMIN', '/ADMIN/');
  define('DIR_WS_HTTPS_ADMIN', '/ADMIN/');
  define('DIR_FS_ADMIN', '/home/grandp/public_html/ADMIN/');
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

[grandpaj 25]

@@Tsimi

 

Hi Lambros

 

Many thanks for taking the time to help with this most frustrating problem. I think it may have been around for a little while, but only come to the for with the addition of addons.

 

tried your solution, maybe close, however I get this when using Firefox

 

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

Tried many variations on your suggested code for the last few hours. Any further thoughts.

 

Cheers

 

Grandpa

[grandpaj 25]

@@Tsimi

 

Hi Lambros

 

Just a little addition to the above

 

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete.".....

 

What I have found is that if I change the 3rd line in admin>config to false all's good, just that the admin area isn't protected by secure server. Don't know but  I wonder if it would make any difference if we had our own SSL cert.......

 

Tried many variations on your suggested code for the last few hours. Any further thoughts.

 

Cheers

 

Grandpa

Cheers

[MrPhil 648]

 

I have recently transferred my site (grandpas.co.nz)which was in a sub directory and everything was working perfectly to public_html where eveything does not work perfectly.

 

Hold on there. Why did you move your site from a subdirectory to the root? If it was to get rid of having to type in the subdirectory name, that's a mistake. You're far better off instead adding a URL rewrite to your .htaccess, to send visitors to your root down to the subdirectory. 1) You leave your root uncluttered, 2) You can add additional applications (blog, forum, gallery, etc.) without their stepping on each other, 3) You don't lose customers who've bookmarked your subdirectory address, and 4) You don't lose search rankings by restructuring your site.

RewriteEngine On
RewriteCond  %{REQUEST_URI}  !^/storesubdir
RewriteRule  ^(.*)$  /storesubdir/$1  [L]

If and when you add other applications, you can remove that rewrite and create a landing page with links to your applications.

[Jack_mcs 1,112]

@@Tsimi

 

What I have found is that if I change the 3rd line in admin>config to false all's good, just that the admin area isn't protected by secure server. Don't know but  I wonder if it would make any difference if we had our own SSL cert.......

 

You are using the shared ssl in admin but also telling the code to use the regular url so when the ssl option is true, it fails. Change the url to use the shared ssl and admin should work. Of course, you will have to get into your admin using the shared ssl url. If you install your own cert, that would not be necessary.

[♥John W 118]

You should rename your admin directy to something else.  It's also a good habbit to use lowercase. 

 

A fact that many people don't think of is the biggest losses in business is lost sales.  My strong suggestion is get a dedicated IP at least and get your own cert as Jack suggested.  Think about how much something costs and then how much sales do you have to do to pay for that.  And if you're doing good sales think about a dedicated server.

[grandpaj 25]

@@Jack_mcs

@@John W

 

Hi guys many thanks for your reply.(the admin has been renamed I just used ADMIN to show where the admin dir was)

 

I am extremely thick when it comes to changing this sort of code. I had a go by changing, as I really wasn't sure which code to change

define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'http://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL', true);

As follows

 

define('HTTP_SERVER', 'http://skyhawk.mysecure.co.nz');No good

then Line 2 to

define('HTTP_SERVER', 'http://skyhawk.mysecure.co.nz/~grandp');No good

 

Im not sure whether Im even in the right area of code to change.

 

@@John W

 

I guess from your comments that we should at the very least get our own dedicated IP address then secondly our own SSL.

 

Any constructive comments greatly appreciated.

 

Kind regards

 

Grandpa

[♥John W 118]

Hi Grandpa,

 

Just now, when I went to your site and clicked create account, it did go to

https://skyhawk.mysecure.co.nz/~grandp/create_account.php?osCsid=8af1cfefba1b3131c29f593d32564612

 

I beleive it's best not to have the session id in the url. 

 

If this is a new site you're doing yourself a favor getting a dedicated ip and your own cert IMHO.

 

Cpanel security highly recomends disabling the ability to see a site using "~grandp" witht the tilde.

[grandpaj 25]

@@MrPhil

 

Hi

 

Many thanks for your reply.

 

The reason I "transferred" from the subdirectory to html_public was that was what I thought had to be done. As you can probably guess I am totally ignorant about all these things.

Just to show my complete lack of knowledge, does the code as you have above go into the "site" in the sub directory and then there no files in the public_html.

 

Again many thanks

 

Grandpa,

[grandpaj 25]

@@John W

 

Thanks for your comments,

I really do appreciate all the help.

What's the best and safest way to get rid of the session id in the url. and the /~grandp

 

Many thanks

 

Grandpa

[MrPhil 648]

does the code as you have above go into the "site" in the sub directory and then there no files in the public_html.

 

It would go in the root .htaccess file (/.htaccess). I haven't tried it with https, but I think it should work (I know it works with http). Your site would first be restored to the original subdirectory. The idea is that any link coming in without the subdirectory at the beginning of the path (URI) would get the store's subdirectory prepended to it. Thus, you could give the store either at / or at /storesubdir and it should get there.

 

You can even add the "permanent redirect" flag ([L] becomes [L,R=301]) to show the proper address to visitors and search engines. They can bookmark either form and it will work. However, with R=301, if in the future you remove this .htaccess code and create a landing page in the root (for multiple applications), bookmarked and indexed addresses to the store will still be good.

 

As you've already gone through all the effort of moving your store to the root, you might want to try to get it working there. If you can't easily do that, move it back to its original place (you do have a backup, right?) and add the code I gave to /.htaccess. Try it with both http and https links to make sure it's working. Note that this assumes you're on an Apache server!

[Jack_mcs 1,112]

@@grandpa The following should work for the admins configure file, though it may need a few tweaks: 

  define('HTTP_SERVER', 'https://skyhawk.mysecure.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '.skyhawk.mysecure.co.nz');
  define('HTTPS_COOKIE_DOMAIN', '.skyhawk.mysecure.co.nz');
  define('HTTP_COOKIE_PATH', '/~grandp/');
  define('HTTPS_COOKIE_PATH', '/~grandp/');
  define('HTTP_CATALOG_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_CATALOG_SERVER', 'https://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL_CATALOG', 'true');
  define('DIR_FS_DOCUMENT_ROOT', '/home/grandp/public_html/');
  define('DIR_WS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_WS_HTTPS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_FS_ADMIN', '/home/grandp/public_html/ADMIN/');
  define('DIR_WS_CATALOG', '/~grandp/');
  define('DIR_WS_HTTPS_CATALOG', '/~grandp/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');

[♥John W 118]

Your site is only showing the session for first click then it goes away so it might not be a problem.  Maybe others can give input on that becaue I've been doing that way for over 10 years. 

 

One thing though is look at your login that drops down in Firefox console and you'll see.  "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen." 

 

The stock way of logging in where it goes to a https login doesn't get this. 

[grandpaj 25]

@@Jack_mcs

 

Hi Jack

 

Many thanks worked a treat, I just wish I had some of the knowledge you guys have, then I could help someone.

The code hasn't needed any alteration (yet)

 

Again SOOOOO many thanks

 

Grandpa

[grandpaj 25]

Hi

 

Many thanks to those who offered help

 

Much appreciated

 

Cheers

Grandpa

[grandpaj 25]

@@John W

 

Hi

 

Many thanks for your obseravtion, how do I correct

 

"One thing though is look at your login that drops down in Firefox console and you'll see.  "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen."

 

So as it is secure. I haven't a clue what I may have done.

 

Many thanks

 

Grandpa

[♥John W 118]

Hi Grandpa,

 

Go back to the stock Responsive navigation.  You modifiied based on a thread here to make that dropdown login.  I was going to post on that thread about this but I forgot.  You can't have a log in on a nonssl page.  At least you're not supposed to and it is a PCI violation.  Use the console on Firefox or other browser web tool and you'll see that warning. 

[Jack_mcs 1,112]

@@grandpa I don't see a security warning. Please explain where you are seeing it?

[grandpaj 25]

@@Jack_mcs

Hi Jack

 

If you click on My Account > log in the URL shows its using SSL, however if you go to say, and click on My Orders this is done on an ordinary non SSL drop down appears (Hope that makes sense)

 

@@John W

 

What I am trying to acheive is the right hand nav bar show as I have, but with the modal drop down working correctly.

 

Look forward to all comments.

 

Cheers

Grandpa

[♥John W 118]

Hi Grandpa,

 

You would have to make the whole site SSL.  Unless the page is SSL, then you don't want a log in modal with sensitve info.  There are people who will dissagree with this, but I think all browsers will warn in the console.  You'll see some sites are all SSL and Google has a movement for this too.  SSL is slower though so why we use the switching between the two.  If you search you can find a problem Facebook ran into with this several years ago.  Now, I believe all Facebook is https. 

[Jack_mcs 1,112]

@@Jack_mcs

If you click on My Account > log in the URL shows its using SSL, however if you go to say, and click on My Orders this is done on an ordinary non SSL drop down appears (Hope that makes sense)

I don't understand what "ho to say" means but I tried all of the links in the dropdown at the top and none are giving an error that I can see. If this is a purchased template, a common problem with those is that the designers don't code links that go to secure pages correctly. If that is the issue, then the code for the link that is causing the problem needs to be changed.

[grandpaj 25]

@@Jack_mcs

 

Hi Jack

 

Thanks for your reply.

What seems to happen with modal log in is that it doesn't use SSL so any info entered allows log in credentials to be a security risk, due to the lack of security of the modal log in

 

"If that is the issue, then the code for the link that is causing the problem needs to be changed,".. I wouldn't have a clue how or what code might need to be changed. I guess Im not the only one using this modal log in so I am wondering why this potential problem hasn't arisen before now.

 

Hope that makes some sense

 

Grandpa

BS234

[auzStar 148]

@grandpaj

 

Hi John,

 

If you installed the latest version of "Faster login with bootstrap modal" from here: http://forums.oscommerce.com/topic/399771-faster-login-with-bootstrap-modal/page-4#entry1729059 then you should be able to disable the "login modal" content module, and your normal login will still function as normal.

 

Until this is resolved it's probably safer to disable the login modal if your shop is live.

 

Although SSL testing was done, if you refer back to the "Faster login with bootstrap modal" thread link above, it was probably an oversight that the actual modal itself doesn't load with SSL but all other SSL functions work as per the normal login. Even the login form inside the modal is POST'ed with SSL when the form is submitted. The contents of the login modal consists of the standard login form via this code "echo $oscTemplate->getContent('login');".

 

There may be a few other people using it if they were following the original thread, but it hasn't been uploaded as add-on yet, probably just as well.

 

I've read mixed thoughts in other forums about whether the credentials are still secure even though the login form inside the modal is being POST'ed with SSL enabled. The concern is whether or not the credentials are secure since the modal itself is not in SSL mode when loading from a non-secured page.

 

Stay tuned.

 

cheers

 

[♥John W 118]

The web tools will warn as a security error if there are password fields on a http url even if it's being submitted ssl.  With that said there are some big company sites that do this.  Fedex even had log in on nonssl pages within the last 2-3 years.  I think PCI states that log in must be https on the page that it launches, but it's been several years since I've read all their rules.  For me, I err on the side of security.