Jump to content
Latest News: (loading..)
superfrank

Using SSL on legacy 2.2MS2 - osCsid stays in URL and login impossible

Recommended Posts

Posted (edited)

I have a very heavily modified install of osC 2.2 MS2 - 060817. Recently I changed the entire shop to use HTTPS. To achieve this, I changed the two configure.php files - the one for the shop and the one for the administration section. The relevant part of the shop's configure.php is now:

  define('HTTP_SERVER', 'https://www.my*web*shop.nl'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://www.my*web*shop.nl'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'www.my*web*shop.nl');
  define('HTTPS_COOKIE_DOMAIN', 'www.my*web*shop.nl');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
(...)
  define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

Administration > Configure > Sessions is this:

Session Directory         /usr/local/sites/*******/tmp/
Force Cookie Use          False
Check SSL Session ID      False
Check User Agent          False
Check IP Address          False
Prevent Spider Sessions   True
Recreate Session          True

Now a problem occurs. The osCsid stays in the URL all the time (not really recommended) and logging in is not possible.
If I manually remove the osCsid variable form the URL I can login, but obviously this is not something I can expect my customers to do.

I found two possible solutions, by changing the settings in Configure > Sessions:
1. Set the value for "Force Cookie Use" to TRUE.
Now the osCsid simply never appears in the URL (is that good or bad?) and visitors must have cookies enabled (workable, but not perfect).
or
2. Set the value for "Recreate Session" to FALSE.
The osCsid variable keeps on appearing in the URL every click (not really good), but at least the visitor can log in.

But these are not really the solutions I want. While the site was completely NON-SSL, the osCsid variable showed up only once in the URL, and disappeared the next click. I do not force visitors to use cookies. And I recreate the session. That's how I like it to be.

My question:
Why is the behavior different when using SSL? Or rather: what should I do/change so that
- visitors can log in
- the osCsid variable appears only once in the URL
- Force cookie use can be FALSE
- Recreate Session can be TRUE
just like it used to be when the shop was NONSSL.

Or if I am asking something impossible, what are the (serious) down sides to Force Cookie Use : True and Recreate Session : False?
For example, I read elsewhere on the forum some vague rumors that some payment processors need an osCsid or that not recreating the session could be a security issue.

Btw, the shop is so heavily modified that a complete upgrade to osC 2.3.4 BS Edge or so is not an option.

 

 

Edited by superfrank

Share this post


Link to post
Share on other sites

You will be surprised how easy it is to customize the new Edge. Having recently moved from 2.2 to Edge I would recomend you to give it a try.


 

Share this post


Link to post
Share on other sites
Posted (edited)
7 hours ago, justcatering said:

You will be surprised how easy it is to customize the new Edge. Having recently moved from 2.2 to Edge I would recomend you to give it a try.

Thanks for the idea, but really, with "very heavily modified" I really mean "very heavily modified" in huge bold capitals - you would be surprised ;-) Of course I have considered upgrading, for more than one reason, but that would not be the way to go, trust me.

What is killing me: in non-SSL mode things work the way I want. Where is that piece of code that makes the osCsid disappear and allow login etc. and what is the difference when using SSL? I would say it is dead simple - but apparently I am missing something.

Right now I would say: okay, force cookie use - cookies are kind of 'normal' and I can live with loosing a couple of customers (IF that is the only 'cost'). But that would be last resort, I am not ready for that (yet). I am hoping for some guidance into the right direction.

 

Edited by superfrank

Share this post


Link to post
Share on other sites

@superfrank

Will your "very heavily modified" store continue to run when your host upgrades the version of PHP to v7.x? Just asking ...

Malcolm


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release here

Share this post


Link to post
Share on other sites

Its could be anything on a moded site but

 

define('HTTP_COOKIE_DOMAIN', 'www.my*web*shop.nl');
  define('HTTPS_COOKIE_DOMAIN', 'www.my*web*shop.nl');

Should be

  define('HTTP_COOKIE_DOMAIN', '.www.my*web*shop.nl');
  define('HTTPS_COOKIE_DOMAIN', '.www.my*web*shop.nl');

Try and see what happens. Just backup first.


 

Share this post


Link to post
Share on other sites

To be honest your flogging a dead horse as they say with 2.2, yes Set the value for "Recreate Session" to FALSE is a way to get it working. Its been done before and there are several topics on this subject already on this forum But as we have advised best solution is update to latest Edge. It will prove a better decision in the long run.

 


 

Share this post


Link to post
Share on other sites
10 minutes ago, ArtcoInc said:

@superfrank

Will your "very heavily modified" store continue to run when your host upgrades the version of PHP to v7.x? Just asking ...

Malcolm

My shop survived PHP 4 to 5, the funny 5.4, all the minor stuff like register_globals, register_long_arrays, not to mention all the deprecated functions and so on. So to answer your question: yes, I think it will survive PHP 7 - not without any battle, but it will. Besides, my host only upgrades to v7 when/if I want.

Once again: thank all of you for your concerns, but really, I just have a flat tyre. I want to fix my flat tyre, not buy a new car. Please tell me how to fix my flat, not where to buy a car.

 

Just now, justcatering said:

Its could be anything on a moded site but

 


define('HTTP_COOKIE_DOMAIN', 'www.my*web*shop.nl');
  define('HTTPS_COOKIE_DOMAIN', 'www.my*web*shop.nl');

Should be


  define('HTTP_COOKIE_DOMAIN', '.www.my*web*shop.nl');
  define('HTTPS_COOKIE_DOMAIN', '.www.my*web*shop.nl');

Try and see what happens. Just backup first.

I had already found that elsewhere on the forum and tried it, but it doesn't do the job. In fact it makes it kind of worse: now logging in doesn't even work when deleting the osCsid from the URL. The same for variations without "www". I think that added dot is only the case for later versions.

 

 

Share this post


Link to post
Share on other sites
5 minutes ago, justcatering said:

To be honest your flogging a dead horse as they say with 2.2, yes Set the value for "Recreate Session" to FALSE is a way to get it working. Its been done before and there are several topics on this subject already on this forum But as we have advised best solution is update to latest Edge. It will prove a better decision in the long run.

 

Yes, I have seen and read that topic (before posting mine).

As said, my 'better' solution would be to force cookies, but that would be "better", not "good".

How to fix that flat tyre...

 

Share this post


Link to post
Share on other sites

"So to answer your question: yes, I think it will survive PHP 7 "

I will be very suprised if you get a 2.2 site to work with PHP7, not without a lot of reworking! hence why not spend the time moving to a more uptodate version. But if not you have alredy found the solution.

Put some slime into the tyre and hope it lasts.:smile:  I am sure if a better solution is available one of the experts will be able to help, some very clever people in the comercial support section.


 

Share this post


Link to post
Share on other sites

 

1 hour ago, justcatering said:

"So to answer your question: yes, I think it will survive PHP 7 "

I will be very suprised if you get a 2.2 site to work with PHP7, not without a lot of reworking! hence why not spend the time moving to a more uptodate version. But if not you have alredy found the solution.

Put some slime into the tyre and hope it lasts.:smile:  I am sure if a better solution is available one of the experts will be able to help, some very clever people in the comercial support section.

I am sorry. Once again, thank you for your concerns and solutions, but for me they are not solutions. And the discussion "to upgrade or not to upgrade, that's the question" is very interesting, but really off-topic. My new shop might be using BS Edge. But my existing shop just has a few questions. For those who want to help, see above.

Share this post


Link to post
Share on other sites
2 hours ago, justcatering said:

Its could be anything on a moded site but

A vanilla 2.2ms2 on non-SSL versus SSL is doing the same...

 

Share this post


Link to post
Share on other sites
2 hours ago, superfrank said:

I just have a flat tyre. I want to fix my flat tyre, not buy a new car.

A Trabant with a flat tyre is still a Trabant.

Good luck with your store.


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites
Posted (edited)
10 minutes ago, frankl said:

A Trabant with a flat tyre is still a Trabant.

Good luck with your store.

A Trabant with four wheels (without flats) still gets you where you wanna be.

Quote

For those who want to help, see above.

;-)

Edited by superfrank

Share this post


Link to post
Share on other sites

Frank - As I recall, some older shops always showed the SID. I don't recall if there was ever a fix but most got around it by installing either Ultimate SEO or SEO 5 (url rewriters). Both are fairly quick installs so I suggest you try one. You can turn Ultimate SEO completely off but not SEO 5 so if you think that will be a concern, then go with Ultimate SEO.

Share this post


Link to post
Share on other sites
10 hours ago, Jack_mcs said:

Frank - As I recall, some older shops always showed the SID. I don't recall if there was ever a fix (...)

As far as I know, 2.2MS2 was the first version doing it the smart way: adding an osCsid once and dropping it the next link (if cookies are enabled/possible on the visitor's end). There was no 'fix', it was just a matter of having the right settings.

And that is my headache here: if it behaves like that on HTTP, why not on HTTPS...?

10 hours ago, Jack_mcs said:

(...) most got around it by installing either Ultimate SEO or SEO 5 (url rewriters). Both are fairly quick installs so I suggest you try one. You can turn Ultimate SEO completely off but not SEO 5 so if you think that will be a concern, then go with Ultimate SEO.

Yes, I saw some things about that, including the hack of Ultimate SEO URL's modification to ~/includes/functions/html_output.php - changing the line

$add_session_id = true

setting true to false.

Installing Ultimate SEO surely is an option, and nice URLs are not a bad idea anyway ;-) But looking at it beforehand, I have the impression it would kill the osCsid always, instead of only the following links. In fact, I could change true to false even without installing Ultimate SEO, since that piece of code is in the function tep_href_link already. But both methods wouldn't be exactly how I want it: I want a backup plan in case the visitor has cookies disabled, just like with HTTP.

I think the problem/solution lays somewhere in that function as defined in html_output.php or rather in extensions of it (some function in sessions.php). Maybe some bug, forgotten code to cover SSL, or something like that. But I don't see/understand where and how.

 

 

 

Share this post


Link to post
Share on other sites

If you want the SID to go away, it just takes a simple install. If you want to spend the time tracing down the problem and looking for help here, you will most likely need to hire someone because most have moved on from 2.2 and the problem is specific to your site. And should you find the solution, what have you accomplished? Rewritten url's are more user-friendly. It makes no sense, in my mind, not to use them.

Share this post


Link to post
Share on other sites
Posted (edited)

Some thoughts, Frank.

I know you are strongly resisting upgrading to Edge, but I think it's a losing battle. You're going to spend more and more time patching your code, mostly on your own (since no one in their right mind still uses 2.2). Staying at PHP 5 is not a viable option, as all but 5.6 is out of support (and 5.6 has 6 months left on it) and your site will become increasingly vulnerable to attack, the longer you stay at unsupported PHP 5. You really want to be PHP 7.1 compatible by this now.

I don't know what you mean by "very heavily modified", but for some people, changing some colors counts as that. They dread the thought of trying to replicate their existing store on a new code base, because they never bothered to keep written records of what they changed and why they changed it. For example, if you put in a lot of effort to make your 2.2 store responsive, Edge has that built in and you can check that off your list at the beginning. If you remember what add-ons you installed (and any related custom work), that's 80% of the battle (you still have to determine whether the add-on is now built-in, and if not, whether there is a current add-on for Edge). Unfortunately, if you have no records of what you did, you're going to be stuck with trying to figure out (remember) what you did, so you can see how to get to that result on the new code. Maybe you can start by writing down every thing you remember you did, over the next month or two. I can never remember everything in one sitting -- it usually comes back to me if I keep picking at it.

Please do us all a favor and at least try a test Edge installation, with a copy of your current data moved over. As you find each missing feature (that you decide you still need), either turn it on, find the current add-on for it, or decide how you're going to replicate it with custom code (or CSS entries) and/or updated add-ons. Don't fixate on exactly reproducing the current store -- that's a hopeless task. Accept that the appearance and behavior will be a little different, even if you manage to implement all current function. Customers will like that you refreshed your store, anyway. In any case, keep a written record of everything you do, so that in the future you will be able to upgrade to a follow-on with minimal pain. Take it step-by-step, feature-by-feature, until either you find that it's an insurmountable task, or you're done and it was easier than you thought it would be. In the former case, you'll be on your own for future maintenance and upgrades are needed, as there will be very few experienced people still running 2.2 -- you will have essentially forked your own store. Why not let others take care of keeping up with PHP changes, GDPR requirements, etc., and let you concentrate on what function you want?

Good luck!

Edited by MrPhil

If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Jack, Phil, thanks for the replies, and thanks for talking sense. I understand I am one of the very few still using 2.2MS2. I also understand that this implies I am kind of on my own. I was just hoping for some long-time-osC-veteran who knows this version inside out, who would be able to answer the questions in my first post and shine some light. Thanks for you input.

@Jack:
You are right, the solution counts, not the method. And yes, using rewritten URLs is only a benefit. So I have installed Ultimate SEO 2.2d-15. I had to disable the line "Options +FollowSymLinks" to bypass error 404 trouble, but now the rewriting works. Compliments and thanks for this well-written, well-working and remarkably well-documented add-on.
But guess what, the osCsid and login trouble as described in my first post still exists: the osCsid stays in the URL forever, and logging in is not possible. That's not as expected, right?
The mystery remains...

@Phil:
☀ PHP 7:
Yeah, you have a very valid point. At some point there is no way around it and the webshop must be PHP7 compatible, regardless what osC version I am using.
☀ Heavily modified:
I don't mean changing some colors :smile: I mean adding serious functionality, involving changes in the code as well as in the database. Some examples, just shaking them out of my sleeve:
- Turn off the web shop in the admin section. Either completely or just disabling the actual buying procedures, while keeping all other functions.
- Invoice generator, contrary to ORDER, since an order is not necessarily an actual buy. Functionality includes for example flexible numbering and merging with other shops.
- Additional product info fields, like shipping factors and multiple article numbers, for example article number for the shop, manufacturers catalog number, EAN number.
- Product attributes, contrary to options at additional cost, for example the same article in color red or blue, size small or large, obviously with separate stock count.
- Customized shipping costs, like multiple flat rates depending on size and weight and optional registered mail.
- Multiple images for products, zoom function on those images, image check (pixel size, file size, naming)
- SEO related things, like titles, metatags, image alt tags, descriptions - some of them rotating on a daily basis.
And the list goes on...
Then some less important functions or just plain cosmetics, like a login box, more additional info boxes, hide/unhide whole categories, HTML email editor, gift wrap option, inc/ex VAT conversion at input, multiple configurable display options, etc. And yes, I have changed some colors too :smile:
Some of these modifications are based upon existing add-ons but mostly altered anyway to suit my needs and wishes, some are written from scratch. I guess you understand that here is not a case of just installing Edge and exporting/importing the database.
I do not have an external list of all modifications I did, but inside the code everything is documented (comments about what and why). If I do a grep search on the server or an extended search with HomeSite, I will find everything that starts with "// fff - "
☀ Responsive design:
This will make some people shake their heads, and no offense and all respect to the creators of the new version, but this would be the last reason to upgrade to Edge. I have some unusual ideas about smartphones, but let's not get into that :smile: Besides, "responsive design" usually means pleasing the owners of 144 different kinds of mobile devices and meanwhile upsetting everybody with a horizontal desktop screen or even a laptop computer. For example: the responsive design of the current default BS Edge barely fits 9 categories on my 24 inch desktop screen, instead of the 24 categories with my 2.2MS2 shop. And I need to scroll vertically to see all info about a product and find the buy button. And the title eats up 20% of the vertical space. Etc. All because of unnecessary spacing and sizing aiming at mobile devices. Excuse me, but I don't think that's the right response. And yes, I know what are style sheets, but I think you know what I mean.
Yes, without responsive design I am loosing customers. But I have some unusual ideas about business, too. I rather have my customers enjoy the sea, sand and sun while they are on the beach then buying in my shop. In my eyes that's something good, not bad.
☀ Forking:
Yes, I guess I have been forking osC 2.2MS2. It was a great idea at the time, and worked well for a looooong time, but maybe now not very good. But what can I do? I just don't want to be dependant on (waiting for) 'official updates' and only apply full/automated/compatible add-ons.
☀ Try Bootstrap:
I still think going from Bootstrap Edge to what I want will be a huge pain, even including accepting a slightly different appearance and behavior (I totally agree with that!). Looking at it a bit deeper did not make that less, maybe on the contrary.
But okay, fair enough, I will give it a try.

@All:
I understand there are two problems for me to solve:
1. The first and urgent one is to have the shop fully SSL-enabled and working. This could be done by forcing the use of cookies or hard-coding the $add_session_id to false. Probably forcing cookies would then be better option (right?). Or of course fixing the problem, either by myself or with some help of some veteran giving me a golden tip.
2. Eventually I would have to be ready for PHP7, either by upgrading to osC BS Edge or by fixing code within the existing shop. Either one will be quite a job, but there is still some time.

Thanks for your input.

Share this post


Link to post
Share on other sites
Posted (edited)
16 minutes ago, superfrank said:

☀ Heavily modified:

I don't mean changing some colors :smile: I mean adding serious functionality, involving changes in the code as well as in the database. Some examples, just shaking them out of my sleeve:
- Turn off the web shop in the admin section. Either completely or just disabling the actual buying procedures, while keeping all other functions.
- Invoice generator, contrary to ORDER, since an order is not necessarily an actual buy. Functionality includes for example flexible numbering and merging with other shops.
- Additional product info fields, like shipping factors and multiple article numbers, for example article number for the shop, manufacturers catalog number, EAN number.
- Product attributes, contrary to options at additional cost, for example the same article in color red or blue, size small or large, obviously with separate stock count.
- Customized shipping costs, like multiple flat rates depending on size and weight and optional registered mail.
- Multiple images for products, zoom function on those images, image check (pixel size, file size, naming)
- SEO related things, like titles, metatags, image alt tags, descriptions - some of them rotating on a daily basis.
And the list goes on...
Then some less important functions or just plain cosmetics, like a login box, more additional info boxes, hide/unhide whole categories, HTML email editor, gift wrap option, inc/ex VAT conversion at input, multiple configurable display options, etc. And yes, I have changed some colors too :smile:
Some of these modifications are based upon existing add-ons but mostly altered anyway to suit my needs and wishes, some are written from scratch. I guess you understand that here is not a case of just installing Edge and exporting/importing the database.
I do not have an external list of all modifications I did, but inside the code everything is documented (comments about what and why). If I do a grep search on the server or an extended search with HomeSite, I will find everything that starts with "// fff - "

Just to let you know: most of these points are:

- or included now in 2.3.4.1 BS

- or available as modularized contributions for 2.3.4.1BS and easier and faster to install as you could imagine.

Edited by raiwa

Share this post


Link to post
Share on other sites
6 hours ago, superfrank said:

But guess what, the osCsid and login trouble as described in my first post still exists: the osCsid stays in the URL forever, and logging in is not possible. That's not as expected, right?

No, that's not right. It sounds like there is a mistake in the configure file. This thread may help with that. I could see that the addon may not stop the SID, though I wouldn't expect it, but it doesn't have anything to do with logging in. If you have the recreate session setting enabled, that could cause that. You may also want to make sure you do not have cache enabled while working through this.

Share this post


Link to post
Share on other sites
Posted (edited)
14 hours ago, raiwa said:

Just to let you know: most of these points are:

- or included now in 2.3.4.1 BS

- or available as modularized contributions for 2.3.4.1BS and easier and faster to install as you could imagine.

To be honest, I would be surprised. For example, I can imagine BS now having an extra column for an article number by default, but who on earth (besides me) needs THREE extra columns for three different kinds of article numbers...? In 2.2MS2 (a version with an incredible number of add-ons and variations of add-ons) I hardly found contributions which were suitable out-of-the-box. I always had to alter them, or at least debug. Actually, I think only my last found Ultimate SEO doesn't need any additional work :smile: I think maybe you guys are underestimating what I am looking for.

But okay, maybe I am the one underestimating and BS Edge is better than I think. Better do a test install of BS Edge and look around a bit. I think the ridiculously spacious layout and all the huge font sizes are minor detail and the least of a problem :wink: I promise I will try BS Edge!

But first:

9 hours ago, Jack_mcs said:

No, that's not right. It sounds like there is a mistake in the configure file. This thread may help with that. I could see that the addon may not stop the SID, though I wouldn't expect it, but it doesn't have anything to do with logging in. If you have the recreate session setting enabled, that could cause that. You may also want to make sure you do not have cache enabled while working through this.

Yes, Recreate Session is enabled and disabling it solves the problem (the osCsid stays, but logging in is then possible). But still - when using NONSSL this is no problem, only when using SSL. The same with the persistent osCsid in the URL, this only happens in SSL.

I have tried to change the cookie paths in configure.php for a test shop running in a subdirectory (similar to "catalog") but no difference. Further all settings are like stated in my first post. I cannot see anything else possibly wrong.

Web shop's cache is disabled and always has been. I suppose you are talking about WEB SHOP cache. Anyway, I am clearing BROWSER cache/history/cookies all the time.

 

 

Edited by superfrank

Share this post


Link to post
Share on other sites
42 minutes ago, superfrank said:

To be honest, I would be surprised. For example, I can imagine BS now having an extra column for an article number by default, but who on earth (besides me) needs THREE extra columns for three different kinds of article numbers...? In 2.2MS2 (a version with an incredible number of add-ons and variations of add-ons) I hardly found contributions which were suitable out-of-the-box. I always had to alter them, or at least debug. Actually, I think only my last found Ultimate SEO doesn't need any additional work :smile: I think maybe you guys are underestimating what I am looking for.

But okay, maybe I am the one underestimating and BS Edge is better than I think. Better do a test install of BS Edge and look around a bit. I think the ridiculously spacious layout and all the huge font sizes are minor detail and the least of a problem :wink: I promise I will try BS Edge!

I stated MOST not ALL, but try you'll be surprised for sure

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×