Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Suspected configure.php incorrectly set up


Guest

Recommended Posts

Hi

 

I have recently transferred my site (grandpas.co.nz)which was in a sub directory and everything was working perfectly to public_html where eveything does not work perfectly. There is probably somewhere in the forum a thread for this problem, however Im unable to find it.

ie;

When I try to add products to the Featured products module. I continually get asked to log in

same with, Database Check..and oithers

 

I am thinking it must be something to do with the way the configre.php file is set up. Heres my catalog config

 define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'www.grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/~grandp/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

And heres my admin (name has been changed)

define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'http://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'www.grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/~grandp');
  define('HTTP_CATALOG_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_CATALOG_SERVER', 'http://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL_CATALOG', 'false');
  define('DIR_FS_DOCUMENT_ROOT', '/home/grandp/public_html/');
  define('DIR_WS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_WS_HTTPS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_FS_ADMIN', '/home/grandp/public_html/ADMIN/');
  define('DIR_WS_CATALOG', '/~grandp/');
  define('DIR_WS_HTTPS_CATALOG', '/~grandp/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

I have been trying for sometime to get this to work

 

Cache is   /home/grandp/public_html/includes/work/

 

Not sure what else I can do. But I guess there must be a simple explanation. You will also see we (at the moment) are on a shared SSL.

 

Any help to sort this frustrating problem would be much appreciated.

 

Cheers

Grandpa

Link to comment
Share on other sites

@@grandpaj

 

You're saying that with the exact same config settings, besides removing the sub-folder name, it worked?

Did you try to change things a bit? This is gonna be some sort of trial and error thing especially since you have a shared SSL.

Let's try these once. Just backup your original files just in case.

  define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz/~grandp');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

and this

  define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'grandpas.co.nz');
  define('HTTPS_COOKIE_DOMAIN', 'skyhawk.mysecure.co.nz/~grandp');
  define('HTTP_COOKIE_PATH', '/ADMIN');
  define('HTTPS_COOKIE_PATH', '/ADMIN');
  define('HTTP_CATALOG_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_CATALOG_SERVER', 'https://skyhawk.mysecure.co.nz/~grandp');
  define('ENABLE_SSL_CATALOG', 'true');
  define('DIR_FS_DOCUMENT_ROOT', '/home/grandp/public_html/');
  define('DIR_WS_ADMIN', '/ADMIN/');
  define('DIR_WS_HTTPS_ADMIN', '/ADMIN/');
  define('DIR_FS_ADMIN', '/home/grandp/public_html/ADMIN/');
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
Link to comment
Share on other sites

@@Tsimi

 

Hi Lambros

 

Many thanks for taking the time to help with this most frustrating problem. I think it may have been around for a little while, but only come to the for with the addition of addons.

 

tried your solution, maybe close, however I get this when using Firefox

 

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

Tried many variations on your suggested code for the last few hours. Any further thoughts.

 

Cheers

 

Grandpa

Link to comment
Share on other sites

@@Tsimi

 

Hi Lambros

 

Just a little addition to the above

 

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete.".....

 

What I have found is that if I change the 3rd line in admin>config to false all's good, just that the admin area isn't protected by secure server. Don't know but  I wonder if it would make any difference if we had our own SSL cert.......

 

Tried many variations on your suggested code for the last few hours. Any further thoughts.

 

Cheers

 

Grandpa

Cheers

Link to comment
Share on other sites

 

I have recently transferred my site (grandpas.co.nz)which was in a sub directory and everything was working perfectly to public_html where eveything does not work perfectly.

 

Hold on there. Why did you move your site from a subdirectory to the root? If it was to get rid of having to type in the subdirectory name, that's a mistake. You're far better off instead adding a URL rewrite to your .htaccess, to send visitors to your root down to the subdirectory. 1) You leave your root uncluttered, 2) You can add additional applications (blog, forum, gallery, etc.) without their stepping on each other, 3) You don't lose customers who've bookmarked your subdirectory address, and 4) You don't lose search rankings by restructuring your site.

RewriteEngine On
RewriteCond  %{REQUEST_URI}  !^/storesubdir
RewriteRule  ^(.*)$  /storesubdir/$1  [L]

If and when you add other applications, you can remove that rewrite and create a landing page with links to your applications.

Link to comment
Share on other sites

@@Tsimi

 

What I have found is that if I change the 3rd line in admin>config to false all's good, just that the admin area isn't protected by secure server. Don't know but  I wonder if it would make any difference if we had our own SSL cert.......

 

You are using the shared ssl in admin but also telling the code to use the regular url so when the ssl option is true, it fails. Change the url to use the shared ssl and admin should work. Of course, you will have to get into your admin using the shared ssl url. If you install your own cert, that would not be necessary.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

You should rename your admin directy to something else.  It's also a good habbit to use lowercase. 

 

A fact that many people don't think of is the biggest losses in business is lost sales.  My strong suggestion is get a dedicated IP at least and get your own cert as Jack suggested.  Think about how much something costs and then how much sales do you have to do to pay for that.  And if you're doing good sales think about a dedicated server.

I'm not really a dog.

Link to comment
Share on other sites

@@Jack_mcs

@@John W

 

Hi guys many thanks for your reply.(the admin has been renamed I just used ADMIN to show where the admin dir was)

 

I am extremely thick when it comes to changing this sort of code. I had a go by changing, as I really wasn't sure which code to change

define('HTTP_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_SERVER', 'http://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL', true);

As follows

 

define('HTTP_SERVER', 'http://skyhawk.mysecure.co.nz');No good

then Line 2 to

define('HTTP_SERVER', 'http://skyhawk.mysecure.co.nz/~grandp');No good

 

Im not sure whether Im even in the right area of code to change.

 

@@John W

 

I guess from your comments that we should at the very least get our own dedicated IP address then secondly our own SSL.

 

Any constructive comments greatly appreciated.

 

Kind regards

 

Grandpa

Link to comment
Share on other sites

Hi Grandpa,

 

Just now, when I went to your site and clicked create account, it did go to

https://skyhawk.mysecure.co.nz/~grandp/create_account.php?osCsid=8af1cfefba1b3131c29f593d32564612

 

I beleive it's best not to have the session id in the url. 

 

If this is a new site you're doing yourself a favor getting a dedicated ip and your own cert IMHO.

 

Cpanel security highly recomends disabling the ability to see a site using "~grandp" witht the tilde.

I'm not really a dog.

Link to comment
Share on other sites

@@MrPhil

 

Hi

 

Many thanks for your reply.

 

The reason I "transferred" from the subdirectory to html_public was that was what I thought had to be done. As you can probably guess I am totally ignorant about all these things.

Just to show my complete lack of knowledge, does the code as you have above go into the "site" in the sub directory and then there no files in the public_html.

 

Again many thanks

 

Grandpa,

Link to comment
Share on other sites

@@John W

 

Thanks for your comments,

I really do appreciate all the help.

What's the best and safest way to get rid of the session id in the url. and the /~grandp

 

Many thanks

 

Grandpa

Link to comment
Share on other sites

does the code as you have above go into the "site" in the sub directory and then there no files in the public_html.

 

It would go in the root .htaccess file (/.htaccess). I haven't tried it with https, but I think it should work (I know it works with http). Your site would first be restored to the original subdirectory. The idea is that any link coming in without the subdirectory at the beginning of the path (URI) would get the store's subdirectory prepended to it. Thus, you could give the store either at / or at /storesubdir and it should get there.

 

You can even add the "permanent redirect" flag ([L] becomes [L,R=301]) to show the proper address to visitors and search engines. They can bookmark either form and it will work. However, with R=301, if in the future you remove this .htaccess code and create a landing page in the root (for multiple applications), bookmarked and indexed addresses to the store will still be good.

 

As you've already gone through all the effort of moving your store to the root, you might want to try to get it working there. If you can't easily do that, move it back to its original place (you do have a backup, right?) and add the code I gave to /.htaccess. Try it with both http and https links to make sure it's working. Note that this assumes you're on an Apache server!

Link to comment
Share on other sites

@@grandpa The following should work for the admins configure file, though it may need a few tweaks: 

  define('HTTP_SERVER', 'https://skyhawk.mysecure.co.nz');
  define('HTTPS_SERVER', 'https://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '.skyhawk.mysecure.co.nz');
  define('HTTPS_COOKIE_DOMAIN', '.skyhawk.mysecure.co.nz');
  define('HTTP_COOKIE_PATH', '/~grandp/');
  define('HTTPS_COOKIE_PATH', '/~grandp/');
  define('HTTP_CATALOG_SERVER', 'http://www.grandpas.co.nz');
  define('HTTPS_CATALOG_SERVER', 'https://skyhawk.mysecure.co.nz');
  define('ENABLE_SSL_CATALOG', 'true');
  define('DIR_FS_DOCUMENT_ROOT', '/home/grandp/public_html/');
  define('DIR_WS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_WS_HTTPS_ADMIN', '/~grandp/ADMIN/');
  define('DIR_FS_ADMIN', '/home/grandp/public_html/ADMIN/');
  define('DIR_WS_CATALOG', '/~grandp/');
  define('DIR_WS_HTTPS_CATALOG', '/~grandp/');
  define('DIR_FS_CATALOG', '/home/grandp/public_html/');

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Your site is only showing the session for first click then it goes away so it might not be a problem.  Maybe others can give input on that becaue I've been doing that way for over 10 years. 

 

One thing though is look at your login that drops down in Firefox console and you'll see.  "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen." 

 

The stock way of logging in where it goes to a https login doesn't get this. 

I'm not really a dog.

Link to comment
Share on other sites

@@Jack_mcs

 

Hi Jack

 

Many thanks worked a treat, I just wish I had some of the knowledge you guys have, then I could help someone.

The code hasn't needed any alteration (yet)

 

Again SOOOOO many thanks

 

Grandpa

Link to comment
Share on other sites

@@John W

 

Hi

 

Many thanks for your obseravtion, how do I correct

 

"One thing though is look at your login that drops down in Firefox console and you'll see.  "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen."

 

So as it is secure. I haven't a clue what I may have done.

 

Many thanks

 

Grandpa

Link to comment
Share on other sites

Hi Grandpa,

 

Go back to the stock Responsive navigation.  You modifiied based on a thread here to make that dropdown login.  I was going to post on that thread about this but I forgot.  You can't have a log in on a nonssl page.  At least you're not supposed to and it is a PCI violation.  Use the console on Firefox or other browser web tool and you'll see that warning. 

I'm not really a dog.

Link to comment
Share on other sites

@@Jack_mcs

Hi Jack

 

If you click on My Account > log in the URL shows its using SSL, however if you go to say, and click on My Orders this is done on an ordinary non SSL drop down appears (Hope that makes sense)

 

@@John W

 

What I am trying to acheive is the right hand nav bar show as I have, but with the modal drop down working correctly.

 

Look forward to all comments.

 

Cheers

Grandpa

Link to comment
Share on other sites

Hi Grandpa,

 

You would have to make the whole site SSL.  Unless the page is SSL, then you don't want a log in modal with sensitve info.  There are people who will dissagree with this, but I think all browsers will warn in the console.  You'll see some sites are all SSL and Google has a movement for this too.  SSL is slower though so why we use the switching between the two.  If you search you can find a problem Facebook ran into with this several years ago.  Now, I believe all Facebook is https. 

I'm not really a dog.

Link to comment
Share on other sites

@@Jack_mcs

If you click on My Account > log in the URL shows its using SSL, however if you go to say, and click on My Orders this is done on an ordinary non SSL drop down appears (Hope that makes sense)

I don't understand what "ho to say" means but I tried all of the links in the dropdown at the top and none are giving an error that I can see. If this is a purchased template, a common problem with those is that the designers don't code links that go to secure pages correctly. If that is the issue, then the code for the link that is causing the problem needs to be changed.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

@@Jack_mcs

 

Hi Jack

 

Thanks for your reply.

What seems to happen with modal log in is that it doesn't use SSL so any info entered allows log in credentials to be a security risk, due to the lack of security of the modal log in

 

"If that is the issue, then the code for the link that is causing the problem needs to be changed,".. I wouldn't have a clue how or what code might need to be changed. I guess Im not the only one using this modal log in so I am wondering why this potential problem hasn't arisen before now.

 

Hope that makes some sense

 

Grandpa

BS234

Link to comment
Share on other sites

@grandpaj

 

Hi John,

 

If you installed the latest version of "Faster login with bootstrap modal" from here: http://www.oscommerce.com/forums/topic/399771-faster-login-with-bootstrap-modal/page-4#entry1729059 then you should be able to disable the "login modal" content module, and your normal login will still function as normal.

 

Until this is resolved it's probably safer to disable the login modal if your shop is live.

 

Although SSL testing was done, if you refer back to the "Faster login with bootstrap modal" thread link above, it was probably an oversight that the actual modal itself doesn't load with SSL but all other SSL functions work as per the normal login. Even the login form inside the modal is POST'ed with SSL when the form is submitted. The contents of the login modal consists of the standard login form via this code "echo $oscTemplate->getContent('login');".

 

There may be a few other people using it if they were following the original thread, but it hasn't been uploaded as add-on yet, probably just as well.

 

I've read mixed thoughts in other forums about whether the credentials are still secure even though the login form inside the modal is being POST'ed with SSL enabled. The concern is whether or not the credentials are secure since the modal itself is not in SSL mode when loading from a non-secured page.

 

Stay tuned.

 

cheers

 

My Add-ons
Advanced Cache Control Tool for osCommerce 2.3.x (non-bootstrap) Download Support
Ajax Product Listing for osC 2.3.4 (bootstrap) Download Support
Category New Products Carousel for osC 2.3.4 (bootstrap) Download Support
Category Popular Products Carousel for osC 2.3.4 (bootstrap) Download Support
Customer Testimonials for osCommerce 2.3.4 (bootstrap and non-bootstrap) Download Support
Front Page New Products Carousel for osC 2.3.4 (bootstrap) Download Support

Index Nested - Product Listing for osC 2.3.4 (bootstrapDownload Support
Match Categories in Search Results for osCommerce versions 2.3.x (non-bootstrap) Download Support
Modular Category Page for osC 2.3.4 (bootstrap)
Download Support

NEW Australia Post Shipping Modules for osCommerce 2.3.x (non-bootstrap) Download Support
NEW Equal Height Module for osC 2.3.4 (bootstrapDownload Support
Products Low Stock Report for osC 2.3.x (bootstrap and non-bootstrap) Download Support
Twitter Typeahead Autocomplete Search for osCommerce 2.3.4 (bootstrap and non-bootstrap)
Download Support

Upcoming Products Modules for osC 2.3.4 (bootstrap) Download Support

 
Assisted Add-ons
Scroll Boxes for osCommerce 2.3.x (bootstrap and non-bootstrap) Download Support
 
Bootstrap Add-ons created by other members
osCommerce Bootstrap Addons and Code

Link to comment
Share on other sites

The web tools will warn as a security error if there are password fields on a http url even if it's being submitted ssl.  With that said there are some big company sites that do this.  Fedex even had log in on nonssl pages within the last 2-3 years.  I think PCI states that log in must be https on the page that it launches, but it's been several years since I've read all their rules.  For me, I err on the side of security. 

I'm not really a dog.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...