SSL Problem...

[ursulab2]

I am having a MAJOR problem with the SSL on my site. I have done everything correctly however, when I go from an unsecure page to a secure page the shopping cart does not carry over. I've heard about this issue before on this board but I haven't found any solutions to the problem. Has anyone else figured out this problem yet?

 

PS... I've tried setting everything to work on the secure server but that didn't work either. Any other thoughts?

 

Thanks,

[maeve]

Ursulab2,

 

I got a similar problem.

 

I installed OsCommerce to http://www.stoneplates.com. Then I got a free certificate from Hostrocket to use SSL.

 

https://securehost22.hrwebservices.net/~stonepl/

 

This is my ssl url.

 

If I don't use SSL everthing works fine from registering a user to payment via authorize.net. However, if I use SSL, on some computers it never posts any information in the registration form or payment screen. On some computers it just works fine.

 

I believe this is an issue between Internet Explorer + SSL, but I could not be able to solve it in the past week. When I try to register a new user and submit information, it returns me back to the registration form with no errors or etc. If I can register a user from another computer, on the payment screen I choose credit card and click continue, it returns me to the same form with no payment selected option. I put a debug on the script and I can see no information is sent to the next page while using some different computers.

 

As an update; I just find out that the machines that I did not fully update via windowsupdate works fine, if I do all the critical + regular updates to windows and Internet Explorer, the problems just begin.

 

Any help is greatly appreciated.

Thanks

[Guest]

Its ironic that there are 2 posts about this today as I have just encountered the same problem a few hours ago.

Have you guys found anything out about this?

I would hate to remove SSL from my shop...

 

Thanks in advance.

[maeve]

Vrant,

 

No luck so far. I keep changing settings on the OsCommerce configuration files. I posted this question to two companies that offer OsCommerce installation, one of them could not replicate the same problem. The other one has not responded yet.

 

I am 90% sure that it is because of the updates from windows update site. On one machine it was working fine, I updated that machine (there were 4 critical updates) and it also stopped working.

 

Heh, just pulling my hair at the moment. I would really appreciate if someone can come up with a solution.

 

Good Luck!

Maeve

[Guest]

Hey I just went into IE

Tools - Internet OPtions - Advanced Tab and down to Security.

Make sure there is a check in "Do not save encrypted pages to disk".

 

This solved the problem on my PC but not on any other PC's as I did it to 3 and only mine works now.

 

weird but maybe it will work for you.

[ursulab2]

well, I have a sucky solution for those of you that want to. If you change everything to being on SSL it works fine (as long as your pages remain on the secure server). This isn't going to do me any good when having the search engines index my pages though.

 

Any other solutions?

 

For instance here is what I did...

 

define('HTTP_SERVER', 'https://secure3.serverhostname.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://secure3.serverhostname.com'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

  define('HTTP_COOKIE_DOMAIN', 'secure3.serverhostname.com');

  define('HTTPS_COOKIE_DOMAIN', 'secure3.serverhostname.com');

  define('HTTP_COOKIE_PATH', '/~giftsbyu/');

  define('HTTPS_COOKIE_PATH', '/~giftsbyu/');

  define('DIR_WS_HTTP_CATALOG', '/~giftsbyu/');

  define('DIR_WS_HTTPS_CATALOG', '/~giftsbyu/');

 

Don't know if this helps anyone or not but maybe it will.

[Guest]

All seems to be working well on machine now but not my client's.

That is something of a problem as he cant purchase anything from his shop when he tries and I'm sure others can not as well.

I cant just change it all to SSL and risk the search engines not indexing everything.

I saw some info on microsoft's knowledge base but none of it is directly related to form submission via SSL in Internet Explorer.

I'm wondering hwo this happenned all of a sudden because a few weeks ago, during a test, everything was fine.

It must have been that last round of critical updates a few days ago.

:angry:

[ursulab2]

I found a genius!!! This was on another posting. It didn't really have much to do with my issue but I'm trying everything!!!!!! Well, I tried this and it worked!!!!!!!!!!! Everything is now carring over from the secured server to the unsecured server. I have no idea how this made it work but it did. Can ya tell I'm excited!!!!!!!!!!! :rolleyes: :) :P :D :lol:

 

 

 

(around line 45 of includes/functions/html_output.php)

 

CODE 

if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) { 

 

 

to

 

CODE 

if ( ($add_session_id == true) && ($session_started == true) ) { 

 

 

If that helps, then someone should file a bug report.

[maeve]

Hi,

 

I just limit the problem to the KB832894. I just installed a fresh Windows 2000 and was doing updates one by one and testing the site. Until I installed the KB832894, the site is just working fine. After this one it stops working. If you look at the description it feels like the SSL problem.

 

Vrant,

That solution is good but we need a general solution that will fix for everyone. It's not possible to force the customers to do that :(

 

Ursulab2,

I thought about doing that and just putting a redirect in the front page. If I can't find a better solution, I will go with that solution.

 

Thank you both for sharing. In fact, the case is still open and I am still trying to find a solution to this one. Maybe one of the developers may come up with some solutions.

 

Thank you,

Maeve

[Guest]

Ursula,

 

I tried it and it didnt work. Then i uploaded my configure.php thinking it was some of my 7 thousand changes to that, but it wasn't.

Did u do anything else besides change that html_output file?

 

<_<

[maeve]

Hmm,

 

I posted without refreshing, my previous post was supposed to be before Ursula's answer.

 

I made the change too and did not work for me either :(

 

Any suggestions?

 

Thanks,

Maeve

[ursulab2]

ok... I did have to make changes to my config file... Sorry...

 

define('HTTP_SERVER', 'http://www.giftsbyursula.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://secure3.serverhostname.com'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

  define('HTTP_COOKIE_DOMAIN', 'www.giftsbyursula.com');

  define('HTTPS_COOKIE_DOMAIN', 'secure3.serverhostname.com');

  define('HTTP_COOKIE_PATH', '/~giftsbyu/');

  define('HTTPS_COOKIE_PATH', '/~giftsbyu/');

  define('DIR_WS_HTTP_CATALOG', '/~giftsbyu/');

  define('DIR_WS_HTTPS_CATALOG', '/~giftsbyu/');

 

Basically I just set everything back to how it was suppose to be. Try it and let me know if this helps any. I know how frustrating this one is.

[maeve]

Well,

 

Thank you Ursula, but still no luck :(

 

 

Here is my configure.php

 

  define('HTTP_SERVER', 'http://www.stoneplates.com/'); // eg, http://localhost - should not be
 define('HTTPS_SERVER', 'https://securehost22.hrwebservices.net'); // eg, https://localhost - sh$
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.stoneplates.com');
 define('HTTPS_COOKIE_DOMAIN', 'securehost22.hrwebservices.net');
 define('HTTP_COOKIE_PATH', '');
 define('HTTPS_COOKIE_PATH', '/~stonepl/');
 define('DIR_WS_HTTP_CATALOG', '');
 define('DIR_WS_HTTPS_CATALOG', '/~stonepl/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
// define our database connection
 define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', '***');
 define('DB_SERVER_PASSWORD', '***');
 define('DB_DATABASE', 'stonepl_esv');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

 

and the admin/includes/configure.php

 

  define('HTTP_SERVER', 'https://securehost22.hrwebservices.net/~stonepl/'); // eg, http://localh$
 define('HTTP_CATALOG_SERVER', 'https://securehost22.hrwebservices.net/~stonepl/');
 define('HTTPS_CATALOG_SERVER', 'https://securehost22.hrwebservices.net/~stonepl/');
 define('ENABLE_SSL_CATALOG', true); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. $
 define('DIR_WS_ADMIN', '/admin/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
 define('DIR_WS_CATALOG', '/');
 define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
 define('DB_SERVER', 'localhost');
 define('DB_SERVER_USERNAME', '***');
 define('DB_SERVER_PASSWORD', '***');
 define('DB_DATABASE', 'stonepl_esv');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', '');

 

And also, all the values in the admin area -> configuration -> sessions is set to false. What do you have in those areas?

 

 

I do appreciate the help.

Thank You,

Maeve

[user99999999]

Hi,

 

You should try this fix for getenv()

 

Forum Post

 

Replace this code in application_top.php (around line 40):  

Code:  
$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';  

with this:  

Code:  
$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';  

[ursulab2]

eeeewwww.... That made things work EVEN better!!! Try both the code in the last posting AND the one that I posted before.

 

My site is up and working now... Except for that dang shop_by_price module... gggggrrrrr...

[user99999999]

You should change yours back to http or you will not get any spiders to index your SSL only store.

[ursulab2]

Who me? I have done this already. Not sure if you were meaning me or not.

 

:)

[user99999999]

@ursulab2

 

Try both the code in the last posting AND the one that I posted before.

 

I thought you meant this post to force SSL all the time.

 

define('HTTP_SERVER', 'https://secure3.serverhostname.com');

define('HTTPS_SERVER', 'https://secure3.serverhostname.com');

[maeve]

Hmmm,

 

I don't think I have any luck today. I have changed the $request_type, also edited the html_output.php that Ursula suggested. Still I got the same problem. When I try to create a new user; it just sends me back to the same form without any error; in other words, it is still not posting the information.

 

Searched the net for all related subjects about SSL and OsCommerce but could not come up with any solution yet :(

 

Vrant; do you have any luck so far?

 

Ursula; I am glad your site worked at the end.

 

Still looking for an answer, thank you all for the suggestions.

Maeve

[Guest]

I made the change in html_output.php and in aplication_top.php.

I have been staring at includes/configure.php and admin/includes.php. I know they are both correct.

I also have "Do Not save encrypted pages to disk" checked in my IE.

I had it working for a short time yesterday I swear. But after checking with my client, and seeing it didnt work for them, I decided to keep testing and it doesnt work again.

I cant understand how it worked for me yesterday and now it wont.

 

SO, just on a whim i decided to set enable SSL to 'false'. I cleared my cache and went to the shop again. Even with SSL off the Order_Info.php would not submit. I do have the Purchase Without Account module which is what I always use to checkout. So it seems I have more problems than just SSL at the moment. I swear at one point yesterday everything was great.

[Guest]

define('HTTP_SERVER', 'http://www.stoneplates.com/'

 

Remove the forward slash in the configure settings and also in the admin/includes/configure.php

[maeve]

Thanks Melinda,

 

I changed that. But the problem still continues.

 

While debugging, I find the following

 

Line 18, create account.php

  $process = false;

 if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) {
   $process = true;

 

I did not go further what $process variable is but took a guess and turned $process = true;

 

  $process = true;

 if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) {
   $process = true;

 

So, now it does not check if there is a HTTP_POST_VARS['action'] or not. $process will be always true.

 

Then the create_account.php just works. This is not a solution but I believe it's the cause of my problem.

 

After installing KB832894 from Microsoft which is cross-site SSL scripting vulnerability patch, the site stops working.

 

In other words, the IE or the server DOES NOT post $HTTP_POST_VARS['action'] variable. It also happens the same way on the payment page. When I select credit card, it does not post that variable to the next page. So, the script gives me an error on top red box "Payment method not selected" or something similar. Same thing while adding a new address to the address book.

 

My updated IE works on other SSL sites just fine. I am not an advanced programmer nor have a clue about the programming of the osCommerce. Anyone wants to make a further suggestion/debugging, and also should I report this as a bug ?

 

And what's funny is it sometimes happens randomly. I tried this with more then 8 machines. (Windows 98, Windows 2000, Windows XP with all patches installed)

 

IE versiyon 6.0.2800.1106.xpsp2

 

Thanks,

Maeve

[Guest]

Maeve,

 

i just tried that and it did not help.

Im on XP and using IE versiyon 6.0.2800.1106.xpsp2 as well. I have all of the patches installed. My other PC in here is exactly the same but the shop works on it. I cant explain that one. :blink:

[maeve]

Vrant,

 

Well, it did not really help me either a lot. Only the account add page works if i turn it on. Still I have problems with the other pages. But I am really sure that it has something to do with this IE fix they came up with. It just happens after I apply that particular patch.

 

It's not posting some variables to the other page. As long as they are not posted, the script just does nothing and pushes back to the original page.

 

I just hope someone will come up with a solution.

 

BTW, how do you replicate this problem? Is it after the critical updates or not? Have you tried with a fresh installed, unpatched machine?

 

Still pulling my hairs, I contacted to a oscommerce consulting company. I wonder what they will come up with.

 

Good Luck,

Kaan

[Guest]

BTW, how do you replicate this problem? Is it after the critical updates or not? Have you tried with a fresh installed, unpatched machine?

 

I dont know exactly. I have not tried with a fresh machine.

 

But I just turned off SSL and tried again and it didnt work. So my problem must be with the Purchase Without Account contribution as that is what I am using to purchase.

 

After I figure this out I will get back to the SSL problem.

 

Thanks