Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

eeto

Enabling SSL breaks customer login in old installation

Recommended Posts

16 hours ago, Jack_mcs said:

You need to change this line


define('HTTP_SERVER', 'http://www.mysite.com');

to this


define('HTTP_SERVER', 'https://www.mysite.com');

 

Ok done and it works!  I am secure on my detail (product info) page and have the padlock in chrome.  Now it will not let me log in.  Test site was letting me log in so there is something different going on with that now. any hints?

Share this post


Link to post
Share on other sites
17 hours ago, Jack_mcs said:

You need to change this line


define('HTTP_SERVER', 'http://www.mysite.com');

to this


define('HTTP_SERVER', 'https://www.mysite.com');

 

Yes that fixed getting the padlock and the security.  I finally figured out how these files are in the include of the directory and the admin and that is where I was getting myself confused. 

I also have a test site that is a sub directory and I can log into that one as a test but I still can't log into the production site.  It kicks me back to the welcome page.  I guess I will just have to compare the two and see what is different. But do you have any hints on what to look for? This started happening the same time the other security issues popped up. 

as far as the .httaccess file, if I run without one it allows my site to run on hostmonster - otherwise my php is too old for their site and is not supported. 

 So I am still dead until I get the login figured out.  I will gladly post comparison files if anyone knows where to start?

Share this post


Link to post
Share on other sites
define('HTTP_SERVER', 'http://www.mysite.com');

to this

define('HTTP_SERVER', 'https://www.mysite.com');

 

Done. Now the pages do allow the shopping cart to add items and I did more checking and it seems now that the log in is working but is specific only to explorer and not firefox or chrome! Almost there.  I can live with that but would like to have the login working with all browsers.  Any ideas?   

Share this post


Link to post
Share on other sites

The problem here is your host's attempt to fix something that they knew nothing about. You first need to undo that "fix". Delete or rename that .htaccess file that your host added. That is breaking your osCommerce install.

Next, your eBay problem is caused by code on eBay, not osCommerce. You have added image links in your auctions that start with "http:". Ebay has changed their auctions to run strictly SSL, so that won't work. You need to change all of those image links to "https:". That will fix the images without breaking your osC store.

Once you have all of that done, consider updating your osCommerce install. OsCommerce 2.2RC2 is hopelessly outdated and insecure. You are running a big risk using ancient software that is vulnerable to hacking.

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

jimsmega - Login problems like you describe are usually due to problems in the configure file. But since your .htaccess file has been changed, I suppose that could be causing an issue. Paste it here so someone can take a look. As for ebay, if you are using the latest ebay addon, there is a setting for the url and it needs to be changed to https.

Share this post


Link to post
Share on other sites

CAUTION: don't post your .htaccess file (or config.php files) without first redacting sensitive information, such as account names, server names, and passwords. Just *****-out anything potentially sensitive. If a hacker on your server might use it to get in, take it out.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
On ‎11‎/‎20‎/‎2017 at 8:11 PM, Jack_mcs said:

You need to change this line


define('HTTP_SERVER', 'http://www.mysite.com');

to this


define('HTTP_SERVER', 'https://www.mysite.com');

 

Oh, my goodness.  This is strange. First of all I am not quite sure even how to work this thread, that is how useless I feel right now. 

I reported yesterday that I made this change and it was working for a while in explorer and I was happy with that.  Not in chrome or firefox, and I even had a user get in thru his iPhone on safari and it worked. Now I am back in the same boat where nothing works except my test site.  I can see no changes that have happened over night and I am completely stumped.  Back dead again. any ideas?

Share this post


Link to post
Share on other sites
20 hours ago, kymation said:

The problem here is your host's attempt to fix something that they knew nothing about. You first need to undo that "fix". Delete or rename that .htaccess file that your host added. That is breaking your osCommerce install.

Next, your eBay problem is caused by code on eBay, not osCommerce. You have added image links in your auctions that start with "http:". Ebay has changed their auctions to run strictly SSL, so that won't work. You need to change all of those image links to "https:". That will fix the images without breaking your osC store.

Once you have all of that done, consider updating your osCommerce install. OsCommerce 2.2RC2 is hopelessly outdated and insecure. You are running a big risk using ancient software that is vulnerable to hacking.

Regards

Jim

Thanks Jim. I did change all the links on ebay to say https: they still weren't showing the padlock in chrome. That is why I thought I had to have the host do something too because they didn't have the padlock. they did something which I assume was added the .htaccess lines. Then they said there were conflicts on the page and I saw an old link that was not https or something and got rid of it. Then it still did not work so they go ok wait a minute and then they tell me it has to probigate or something. Wait a while.  I assume this was when they cleared cache or something. Then ebay was ok, and working in chrome.   Then a week later I notice my osc store is messed up and no sales and a customer said they could not add to the cart. I could not even log in.  So we fix the http: to https on the one line in the define and he was able to get in on safari and I could get in on explorer and the cart worked.  That was yesterday.  Now today the cart works but we cannot log in  at all on any system.

So I disabled the .htaccess file, ebay works fine and is secure with padlock in chrome.  so that is ok but I am afraid if the cache gets refreshed it wont work again.

I am on RC V2.2 RC2 version so that is a problem I know. But there is no updated version that I can see that has a new enough php for most hosts to support?

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

One clue I notice on the login attempt is if I try to use a legit password, I get kicked back to the welcome page. If I type in the password incorrectly, I get kicked back to welcome with a message that the password does not match.

Share this post


Link to post
Share on other sites

For the url problem, try turning of the cache and gzip settings in admin, as well as the url rewriter if you use one. It things start to work, you can troubleshoot from there.

For the version of php, an RC2 shop should be able to run on 5.4, possibly 5.5 and maybe 5.6, depending upon how old a shop it is. If it doesn't, there are code changes that can be made to allow that. Though the better choice is to switch to the Responsive version.

Share this post


Link to post
Share on other sites

gzip and cache are set to false .  Don't see url rewriter.  Not sure what that is.

We have tried all the php sets mentioned above. Our only option was to remove .htaccess and it would default to allow 5.2 to work. But the host did not even have the option in the panel to choose anymore. but defaulting to nothing worked. The problem started when they "removed" support for it. What ever that means.

I feel that this is the final nail in the coffin for us - is responsive version a working system? I'm thinking of converting to wordpress.

Share this post


Link to post
Share on other sites
3 hours ago, jimsmega said:

So I disabled the .htaccess file, ebay works fine and is secure with padlock in chrome.  so that is ok but I am afraid if the cache gets refreshed it wont work again.

I am on RC V2.2 RC2 version so that is a problem I know. But there is no updated version that I can see that has a new enough php for most hosts to support?

Don't leave .htaccess disabled. A lot of things can break or be hacked if you do that. It's possible that some of your problems with it working on some browsers and not on others is that you are looking at old cached pages, of the times it wasn't working. The first thing to do is to clear your browser's cache (or just Ctrl-F5 to force a full page refresh). You also need to understand everything that's in all your .htaccess file(s). Don't let "support" add crap and trust that they know what they're doing.

osC 2.3.4BS Edge is (up to) PHP 7.0 compatible and is responsive and well updated. That is the correct one to use. You have to obtain it from the GitHub distribution, not this site. The official osC 2.3.4.1 is also supposed to install and run on PHP 7.0, but is not responsive.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Update: after getting hostmonster to clear cache on server, things started working again.  I will see if it holds up tomorrow.  Thank you all and don't eat too much. 

 

Share this post


Link to post
Share on other sites

When hostmonster cleared cache it allowed a login for a few times.  After that it stopped allowing a login again. I cleared my cache, it won't let me in. created a new userid and pwd and only worked one time.  This quit working in chrome and explorer. What could be causing that?

Share this post


Link to post
Share on other sites

It sounds like session issues. First, restore your files to a known good working set. Some of the changes you made trying to fix this could have messed up the session handling.

A different version of PHP could also cause this. Check with your host that you are still running the same version you were before this happened. If my memory is correct, osCommerce 2.2RC2 needs PHP 5.3 or older.

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

I currently took the .htaccess file that they gave me out - the current store works for logins about once per day and then generally is not letting customer back in again until the next day. All pages are showing secure without it and checkout and shopping cart is is working if they are able to log in. Are you saying I should put this line of code back in? Is there anything else that is not allowing more than one log in per day, or until cache is cleared?

Share this post


Link to post
Share on other sites

No, you need to go back to the file configuration that you had before your host put that file in. Remove any changes you have made, and remove that .htaccess file and replace it with the one you had before (if you had one).

The symptoms sound like the problem is caused by your host's cache. OsCommerce does not work well with a page cache, as the pages change after you are logged in. Ask your host to disable the cache for your account and see if that helps.

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites
On ‎11‎/‎20‎/‎2017 at 8:11 PM, Jack_mcs said:

You need to change this line


define('HTTP_SERVER', 'http://www.mysite.com');

to this


define('HTTP_SERVER', 'https://www.mysite.com');

 

this seemed to be the only change that was necessary.  I am still trying to find out why my host has to keep clearing the server cache to be able to log in on my site.  I tried it about 5 times with no problem this am and now it is not working again.  BAH!

Share this post


Link to post
Share on other sites
On ‎10‎/‎3‎/‎2017 at 5:20 PM, Jack_mcs said:

The change you made for the NONSSL is the correct way to do it. In older shops there is generally more than one such form so you may need to change other files.

Having the recreate session is not less secure. It's purpose was to change the session ID for checkout in case the session ID became known, which was common in the early history of oscommerce.  That is unlikely to happen now as long as you have prevent spiders set to true and you are not using the servers tmp directory (see the cache and sessions settings). The session ID will always appear when first visiting a site and may stick around in old shops. If you install one of the url rewriters (Ultimate SEO or SEO 5), that won't happen.

Jack I tried this just now and I think it worked.  I changed recreate sessions to false in my production admin and I got in when I had an osCsid in the address bar on chrome.  How can I tell if I have seo or seo 5 installed? Like I said it was years ago I did my store set up and it has run with no problems until now.

Share this post


Link to post
Share on other sites

Look for SEO URLs or SEO 5 in the left column of admin->Configuration.

Share this post


Link to post
Share on other sites

If you have SEO for your osC store, it requires code in the .htaccess file to properly work, so don't simply accept any .htaccess your "support" gives you. They should NOT be making any changes to your files, except as you understand what and why they're changing them, and what the consequences are. Either compare old and new files yourself, or ask for a thorough explanation of what they're doing. They probably know nothing about osCommerce and are just following a script.

Are you sure your PHP version matches your osC version? Current PHP levels (5.6 or higher) require osC 2.3.4.1 or 2.3.4BS Edge, and earlier versions of the store will usually have problems, including session problems (if not outright errors). It's possible to patch them into working order, but it can be a lot of meticulous labor if you've allowed your store to fall far behind. If your host has upgraded PHP to current levels, strongly consider installing 2.3.4BS Edge and migrating your data over -- you'll be all caught up with PHP levels and security features, and have a responsive (mobile-friendly) store to boot. The only downside is that any customizations done to your old store will have to be examined, and considered as to what needs to be done to replicate that functionality.

If all this is unintelligible to you, go to this forum's Commercial Support section, and hire someone to work with you to upgrade in some fashion. It will be cheaper than continuing to lose sales and customers to a malfunctioning store. Keep a written list of all changes and customizations/add-ons made, so in the future any upgrade will be much less painful. And stay up to date with your code base! Don't coast along for years, and then be blindsided by a hosting change.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

it is looking like recreate session = false is the fix for my problem right now.  if ?osCsid was attached in the address bar it would not let you in. If you deleted it you could get in. with recreate session =false, it does not matter.  Getting in every time now.

What is it?

Share this post


Link to post
Share on other sites

×