Jump to content

Archived

This topic is now archived and is closed to further replies.

Branson Bean

Mixed Content Error after installing SSL on site

Recommended Posts

This is my first time on the forum, and a novice for sure.  We acquired our business and it was already running OSCommerce for the store.  Recently we added the SSL certificate through our hosting provider Godaddy, and the store stopped working altogether.  I used www.whynopadlock.com to identify some issues and searched the forums to change the configuration.php files to get whynopadlock to a clean state, but the shopping cart still will not work, it takes you from product info pages to Whats in my Cart, and the cart is empty.  Using "Inspect" on Chrome, provided the following Mixed Content Error:

Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2241&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/advanced_search_result.php'. This endpoint should be made available over a secure connection.

Which clearly seems there are still some http links somewhere in the code.  The above info on Inspect shows another spot where it is going to http instead of Https...

Any help would be appreciated.

Share this post


Link to post
Share on other sites

Hello.  I am having the exact same problem with Hostmonster !!! Help... I already had an ssl certificate in my store on Hostmonster and ebay said the images that were hosted on hostmonster were not secure when called in on google chrome.  My site images are ok on ebay thru chrome now after hostmonster supposedly cleared the cache on my site, and made them all secure,  which is what started all this. That is the best answer I can get from them about what they did. They are at a loss as to why my images have the endpoint error as well and my shopping cart or login will not work.  Initially those were the only two pages that the ssl was set up for. Now the cart stays empty and a person cannot log in anymore.

Share this post


Link to post
Share on other sites

Branson Bean - The problem is that one, or more, of your files is using code that doesn't tell it to switch to ssl. You need to change the code where that is done. I can't be specific about the change since you didn't mention the version of oscommerce you are using. But the problem you mentioned will be in the search infobox or search module. In the file, find the line that has tep_draw_form in it. That line will probably contain

'NONSSL'

Changing that to

'SSL'

will fix the error. But there may well be other files with the same type of error. You just have to work through them find which file is at fault.

Share this post


Link to post
Share on other sites

Thank you, I am running OSC 2.3.3 now, I updated that as well thinking it was an outdated issue.  I saw some of that code when looking but when I changed various things, the store stopped working completely.  I got it back to where I left off, and will try the change from NONSSL to SSL.

Share this post


Link to post
Share on other sites

I find this code in product_info.php:

<?php echo tep_draw_form('cart_quantity', tep_href_link(FILENAME_PRODUCT_INFO, tep_get_all_get_params(array('action')) . 'action=add_product')); ?>
 

I do not see where this code calls out SSL or NONSSL though.

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

@Jack_mcs  I am not up to speed on this, and probably frustrating you, but I do not know where the search box is?  I am using GoDaddy File Manager to review and edit .php files, and working with Chrome to view the issues like below I am trying to resolve:

Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/product_info.php?products_id=2208&action=add_product&osCsid=occv79lapdgbs1r293t35oo4r1'. This endpoint should be made available over a secure connection.
product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1:109 Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/index.php'. This endpoint should be made available over a secure connection.
product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1:110 Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/advanced_search_result.php'. This endpoint should be made available over a secure connection.

 

I finally got back to the store working except for being able to add items to the cart.  above errors are what I am getting on Chrome.

Sadly, I dont know what I dont know, and that is sending me in an endless loop of learning, crashing my store and getting back to where I am still stuck with "Not being able to add to cart".

Thank you again for helping.

 

Share this post


Link to post
Share on other sites

The ssl warning is due to the code in the search box of your site. But there are many search boxes spread over the various versions so I can't tell you what file to look at. If it is not being added by a template, then it is probably in the includes/boxes/, includes/modules/boxes/ or includes/modules/content/hearer/ directories. Which one depends on your version. Look for a file with the word search in the name.

But that won't fix the problem with not being able to add to cart. That is most likely an incorrectly setup configure file. This thread may help with that. If you can't figure it out, post the contents of that file here, except for the database credentials, and I will take a look at it.

Share this post


Link to post
Share on other sites
On ‎11‎/‎19‎/‎2017 at 2:17 PM, Branson Bean said:

@Jack_mcs  I am not up to speed on this, and probably frustrating you, but I do not know where the search box is?  I am using GoDaddy File Manager to review and edit .php files, and working with Chrome to view the issues like below I am trying to resolve:

Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/product_info.php?products_id=2208&action=add_product&osCsid=occv79lapdgbs1r293t35oo4r1'. This endpoint should be made available over a secure connection.
product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1:109 Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/index.php'. This endpoint should be made available over a secure connection.
product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1:110 Mixed Content: The page at 'https://bransonbean.com/store/catalog/product_info.php?products_id=2208&osCsid=occv79lapdgbs1r293t35oo4r1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://bransonbean.com/store/catalog/advanced_search_result.php'. This endpoint should be made available over a secure connection.

 

I finally got back to the store working except for being able to add items to the cart.  above errors are what I am getting on Chrome.

On ‎11‎/‎19‎/‎2017 at 11:49 AM, Jack_mcs said:

Branson Bean - The problem isn't in the product page. Look in the search box.

Sadly, I dont know what I dont know, and that is sending me in an endless loop of learning, crashing my store and getting back to where I am still stuck with "Not being able to add to cart".

Thank you again for helping.

 

The latest thing I have is I can only get into the store now to log in if I have the host clear or purge the cache on the server at their end.  Also an annoyance is that when I go to type the password in I would like it to be blank, not prefilled with other attempted passwords that have nothing to do with my login. Any way to clear that? Any idea why the server has to be cleared and log in only works a couple of times and then quits working?   So close to fixing this.... 

Share this post


Link to post
Share on other sites

The latest thing I have is I can only get into the store now to log in if I have the host clear or purge the cache on the server at their end.  Also an annoyance is that when I go to type the password in I would like it to be blank, not prefilled with other attempted passwords that have nothing to do with my login. Any way to clear that? Any idea why the server has to be cleared and log in only works a couple of times and then quits working?   So close to fixing this.... 

Share this post


Link to post
Share on other sites

By default, the path to store things in the shop is set to the servers tmp directory. That can cause problems like this. But you said, I think, that the options that use that setting are not enabled. Still, you may want to check the paths in the cache and session sections of admin->Configuration. The path is probably something like tmp/ while it should be something like /home/user name/public_html/tmp/. The tmp directory needs to exist though you can use a different one if you prefer.

If the cache problem still occurs then it would have to be a server issue and you need to have your host look at.

The filling of the password box is a browser setting. Look up disabling autofill for whatever browser you are using.

Share this post


Link to post
Share on other sites

The temp directory is set to use cache false and temp directory is :  /tmp/

Sessions:/tmp

force cookie use false

check ssl session id true

check user agent true

check ip address true

prevent spider sessions true

recreate session true

 

 

Share this post


Link to post
Share on other sites

This may not be the cause of your problem but it is wrong and should be corrected to avoid possible future problems. When the setting is /tmp, it tells the code to use the tmp directory on the server and that is a shared directory with all accounts on the server. If you are on a dedicated server it won't matter. But, if not, it can be a security hole and cause problems like you are having.

Share this post


Link to post
Share on other sites
9 hours ago, Jack_mcs said:

This may not be the cause of your problem but it is wrong and should be corrected to avoid possible future problems. When the setting is /tmp, it tells the code to use the tmp directory on the server and that is a shared directory with all accounts on the server. If you are on a dedicated server it won't matter. But, if not, it can be a security hole and cause problems like you are having.

use cache = false

directory /tmp/

is how my settings are.

Share this post


Link to post
Share on other sites
On 11/19/2017 at 10:38 AM, Branson Bean said:

I find this code in product_info.php:

<?php echo tep_draw_form('cart_quantity', tep_href_link(FILENAME_PRODUCT_INFO, tep_get_all_get_params(array('action')) . 'action=add_product')); ?>
 

I do not see where this code calls out SSL or NONSSL though.

If you look at the code for tep_href_link() (in includes/functions/html_output.php), you will see that there are two mandatory arguments to this function, and the rest are optional. The third argument (first optional one) defaults to 'NONSSL', and that's what's causing your problem. You can add a third parameter ,'SSL' or you could consider changing the default from 'NONSSL' to 'SSL'. I haven't tried the latter, and can't guarantee that it will work, but it might be OK. Of course, any call with an explicit 'NONSSL' will override that. You might even consider in that function simply adding a line $connection = 'SSL'; before it's used, but if you have your configuration set up correctly, it should be using https for both the HTTP and HTTPS anyway, regardless of whether the code specifies 'SSL', 'NONSSL', or simply defaults to 'NONSSL'. My understanding is that you want to run the whole site under SSL.

If you do have everything configured as https, it's possible you have an add-on or other code that is hard coded to http.

Share this post


Link to post
Share on other sites
On ‎11‎/‎25‎/‎2017 at 5:09 PM, jimsmega said:

The temp directory is set to use cache false and temp directory is :  /tmp/

Sessions:/tmp

force cookie use false

check ssl session id true

check user agent true

check ip address true

prevent spider sessions true

recreate session true

 

 

the above settings are my production admin session settings which are different from my test shop admin session settings below:

BTW My test site works, Production has the glitch of not being able to get in:  

Sessions /tmp

force cookie use false

check ssl session id false

check user agent false

check ip address false

recreate session true

I thought there was something that the host was doing to reset cache every now and then because sometimes I could get in and sometimes not. The other night while I had them on the phone again, it started working before they touched anything. Probably a combination of closing my browser or trying another one, or using a different login id or whatever.  So I was stumped again as to the cause.  Them or me....

Now what I am noticing is I have the same exact problem and Branson Bean.... When I reread what he said I think we had the same issue to a T. At first I did not understand he talked about the osCsid.  Now I see.

When the osCsid is present in the address bar (I finally saw what he was talking about) Production side will not let me log in. If it is NOT there I can get in.  If I remove it I CAN log in.

So I am not sure what causes osCsid to pop up occasionally but if it happens on the test side it still lets me log in.  I am still testing and trying to see what makes it show up, using chrome, explorer, etc. to see if this holds true each time.

So there are 3 statements set to false on test which works vs production which occasionally fails....it has been virtually years since I worked with my files and I have no clue what these settings mean or how they changed.  Should I make the change to have the production side match the test side and just keep testing?  If this works my site may be completely fixed without any other changes.

Basically only thing I changed was changing the first line in config for http_server from HTTP://www.... to HTTPS://www.... and removing the .htaccess that my host added to my main directory.

Also many thanks to you all for your patience I hope this takes care of it...

 

Share this post


Link to post
Share on other sites

RATS !!!  I went ahead and made the change to the 3 lines to false to try it out and it did not work !!!  I got an osCisd on the third or forth try and it still kicked back- log in does not work.  Deleted ?osCsid=fm91ttmh8git8453e2kb3c0rl5  from after the index.php in the title bar and it will let me in.  Why is this happening? How can I stop that id from coming in at the top?

Share this post


Link to post
Share on other sites
On 27/11/2017 at 2:31 AM, MrPhil said:

If you look at the code for tep_href_link() (in includes/functions/html_output.php), you will see that there are two mandatory arguments to this function, and the rest are optional. The third argument (first optional one) defaults to 'NONSSL', and that's what's causing your problem. You can add a third parameter ,'SSL' or you could consider changing the default from 'NONSSL' to 'SSL'. I haven't tried the latter, and can't guarantee that it will work, but it might be OK. Of course, any call with an explicit 'NONSSL' will override that. You might even consider in that function simply adding a line $connection = 'SSL'; before it's used, but if you have your configuration set up correctly, it should be using https for both the HTTP and HTTPS anyway, regardless of whether the code specifies 'SSL', 'NONSSL', or simply defaults to 'NONSSL'. My understanding is that you want to run the whole site under SSL.

If you do have everything configured as https, it's possible you have an add-on or other code that is hard coded to http.

OsCommerce 2.3.4

Plesk Onyx Version 17.5.3 Update #37, 

Centos 6.9 final

Hi to everyone,

one of my problems was that after having added the SSL certificate and converted to https was (keep in mind that i did the necessary changes in the config files /admin and include) that chrome browser didn't add to my cart any item when clicking the "add to cart button"  

just having an empty cart,but if clicking "buy now" it would add it.In firefox nearly the same just with an pop up security message warning that it isn't secure but then anyway an empty cart.That said i followed MrPhils suggestion and changed the code in tep_href_link() (in includes/functions/html_output.php)

from 'NONSSL' to 'SSL'. And that fixed my problem stright away.

So THANK YOU Phil..!!!

 

Something that i cant get around my head after nearly a week of patient research and testing is the following:

A form with the action of "http://www.erboristeria-benessere.it/index.php" exists in the source code of the tested page.This form needs to be updated to use "https://www.erboristeria-benessere.it/index.php" or another secure URL for your padlock to return.

AND

A form with the action of "http://www.erboristeria-benessere.it/advanced_search_result.php" exists in the source code of the tested page.This form needs to be updated to use "https://www.erboristeria-benessere.it/advanced_search_result.php" or another secure URL for your padlock to return

Here my confing files first the include one:

define('HTTP_SERVER', 'http://www.erboristeria-benessere.it');
  define('HTTPS_SERVER', 'https://www.erboristeria-benessere.it');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '');
  define('HTTPS_COOKIE_DOMAIN', '');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

  define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
  define('DIR_FS_CATALOG', '/var/www/vhosts/erboristeria-benessere.it/httpdocs/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

  define('DB_SERVER', 'localhost');
  define('DB_SERVER_USERNAME', 'xxxxxx');
  define('DB_SERVER_PASSWORD', 'xxxxxx');
  define('DB_DATABASE', 'xxxx');
  define('USE_PCONNECT', 'false');
  define('STORE_SESSIONS', 'mysql');
  define('CFG_TIME_ZONE', 'Europe/Berlin');

 

And here the admin config:

define('HTTP_SERVER', 'http://www.erboristeria-benessere.it');
  define('HTTPS_SERVER', 'https://www.erboristeria-benessere.it');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '');
  define('HTTPS_COOKIE_DOMAIN', '');
  define('HTTP_COOKIE_PATH', '/admin');
  define('HTTPS_COOKIE_PATH', '/admin');
  define('HTTP_CATALOG_SERVER', 'http://www.erboristeria-benessere.it');
  define('HTTPS_CATALOG_SERVER', 'https://www.erboristeria-benessere.it');
  define('ENABLE_SSL_CATALOG', 'true');
  define('DIR_FS_DOCUMENT_ROOT', '/var/www/vhosts/erboristeria-benessere.it/httpdocs/');
  define('DIR_WS_ADMIN', '/admin/');
  define('DIR_WS_HTTPS_ADMIN', '/admin/');
  define('DIR_FS_ADMIN', '/var/www/vhosts/erboristeria-benessere.it/httpdocs/admin/');
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_FS_CATALOG', '/var/www/vhosts/erboristeria-benessere.it/httpdocs/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

  define('DB_SERVER', 'localhost');
  define('DB_SERVER_USERNAME', 'xxxxxxx');
  define('DB_SERVER_PASSWORD', 'xxxxxx');
  define('DB_DATABASE', 'xxxxxx');
  define('USE_PCONNECT', 'false');
  define('STORE_SESSIONS', 'mysql');
  define('CFG_TIME_ZONE', 'Europe/Berlin');

To give more infos i checked my htaccess file and there is all commented (Basic staff nothing written by me) out meaning nothing can happen from there ,like empty (is it right?because i have seen so many talks about it)

Any suggestion?

Thank you all and keep it going!!

 

Share this post


Link to post
Share on other sites

Hi,

you could try to make everything ssl by changing 

define('HTTP_SERVER', 'http://www.erboristeria-benessere.it');

to

define('HTTP_SERVER', 'https://www.erboristeria-benessere.it');

in both configs. And there are several methods to force ssl via htaccess depending on your server configuration this thread is about that:

Best regards

Christoph

Share this post


Link to post
Share on other sites

@beerbee

Thanks a lot for your response, actually i did it last night at a certain point as last resort and it worked partially to be precise i did get rid of one ,the :

A form with the action of "http://www.erboristeria-benessere.it/advanced_search_result.php" exists in the source code of the tested page.This form needs to be updated to use "https://www.erboristeria-benessere.it/advanced_search_result.php" or another secure URL for your padlock to return

 

now i'm stuck with the last one ,the :

A form with the action of "http://www.erboristeria-benessere.it/advanced_search_result.php" exists in the source code of the tested page.This form needs to be updated to use "https://www.erboristeria-benessere.it/advanced_search_result.php" or another secure URL for your padlock to return

And guess what,on the whynopadlock check site everything is ok now, no more warning BUT still not a green padlock unfortunately.

Will have a look at your link to that thread now,

Thanks a lot appreciate.Best Regards

Nicolas

 

Share this post


Link to post
Share on other sites

desmoulins22 - The problem is with the form code in the manufacturers info box. As my post in November stated, you have to change the code to use ssl and you will be all set. To find the problem, view the source of the page and search for "form name". If the link for it is http then that will cause a failure.

Share this post


Link to post
Share on other sites

@Jack_mcs didn't you mean search box(es)?

Seems (guessing) to me that the link/form has hardcoded http:// as target. NONSSL or SSL shouldn't be a problem anymore as both are configured to use https://

Best regards

Christoph

Share this post


Link to post
Share on other sites
1 hour ago, Jack_mcs said:

desmoulins22 - The problem is with the form code in the manufacturers info box. As my post in November stated, you have to change the code to use ssl and you will be all set. To find the problem, view the source of the page and search for "form name". If the link for it is http then that will cause a failure.

 Hi Jack,

thank you for your response...i guess you right because this is what i get from the inspector in chrome:

<div class="ui-widget infoBoxContainer mj-manufacturers"> <div class="ui-widget-header infoBoxHeading">Manufacturers</div> <div class="ui-widget-content infoBoxContents"><form name="manufacturers" action="http://www.erboristeria-benessere.it/index.php" method="get"><select name="manufacturers_id" onchange="this.form.submit();" size="1" style="width: 100%"><option value=""

so i had a look in the bm_manufacturer_info.php but no part with "form name"... i did previously look into this file but couldn't get an answer...you where talking about this file,did you?

 

Share this post


Link to post
Share on other sites
14 minutes ago, beerbee said:

@Jack_mcs didn't you mean search box(es)?

Seems (guessing) to me that the link/form has hardcoded http:// as target. NONSSL or SSL shouldn't be a problem anymore as both are configured to use https://

Best regards

Christoph

Hi Christoph,

yes i was understanding the same like you ,

"that the link/form has hardcoded http:// as target. NONSSL or SSL shouldn't be a problem anymore as both are configured to use https://"

because it is what i see in the chrome inspector mentioned before:

<div class="ui-widget infoBoxContainer mj-manufacturers"> <div class="ui-widget-header infoBoxHeading">Manufacturers</div> <div class="ui-widget-content infoBoxContents"><form name="manufacturers"action="http://www.erboristeria-benessere.it/index.php" method="get"><select name="manufacturers_id" onchange="this.form.submit();" size="1" style="width: 100%"><option value=""

 

so what do i not see here?? it looks so easy because it says where, but doesn't really correspond...

(index):1010 Mixed Content: The page at 'https://www.erboristeria-benessere.it/' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://www.erboristeria-benessere.it/index.php'. This endpoint should be made available over a secure connection.

 

I guess i'm on it too long to not think with clear mind...:):)

Share this post


Link to post
Share on other sites

×