PDA

View Full Version : secure admin, shared ssl, re-directed to login



avibodha
12-01-2005, 09:25 AM
Hi,

I've got a problem with all the stores I've set up using a shared SSL cert and using a secure admin area.

Using EasyPopulate, when I click any of the download options I'm booted back to login. Same with Attribute Manager once I select a product to edit, back to login. In Orders, if I change the top dropdown to show only Processed for example, same thing, booted back to log in.

I've looked at all the old posts, here and oscommerce, and haven't been able to find out what's happening.

* I did add all the files to the admin permissions
* The links on the left boxes are passing in oscAdminId correctly
* Most everything else works fine.
* Have Requires cookies off
* Only happens when admin is secured using SSL
* Safe mode is off

Here's the applicable part of my admin config:

define('HTTP_SERVER', 'https://hs42.order-vault.net/heritagecamps.org/');
// define('HTTP_SERVER', 'http://www.heritagecamps.org');
define('HTTP_CATALOG_SERVER', 'http://www.heritagecamps.org/');
define('HTTPS_SERVER', 'https://hs42.order-vault.net/heritagecamps.org/');
define('HTTPS_CATALOG_SERVER', 'https://hs42.order-vault.net/heritagecamps.org/');
define('ENABLE_SSL_CATALOG', 'true');

Does anyone have any ideas? Any suggestions of what to try? Thanks for any help...
---todd

michael_s
12-01-2005, 09:50 AM
Did you check this page:
http://oscdox.com/modules.php?op=modload&name=phpWiki&file=index&pag ename=SSL

Config should look something like this:


define('HTTP_SERVER', 'https://hs42.order-vault.net/heritagecamps.org'); // eg, http://localhost - should not be empty for productive servers
define('HTTP_CATALOG_SERVER', 'http://www.heritagecamps.org');
define('HTTPS_CATALOG_SERVER', 'https://hs42.order-vault.net/heritagecamps.org');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
define('DIR_FS_DOCUMENT_ROOT', '/correct/path/to/catalog/'); // where the pages are located on the server
define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required
define('DIR_FS_ADMIN', '/correct/path/to admin//'); // absolute path required


Also make sure you store your sessions in the database:

define('STORE_SESSIONS', 'mysql');

avibodha
12-01-2005, 10:56 AM
Hi Michael,

Thanks for the link and the fixes to my paths, didn't realize I had messed up the '/' at the end. Unfortunately that wasn't the problem.

I did review the link but it seemed out of date. FYI, the shared ssl info there for admin has the non-ssl setting for HTTP_SERVER, while yours and others suggest using the SSL setting for this. Also, it's my understanding that the admin doesn't use cookies but instead passes the oscAdminId in each link so the cookie settings are not needed. Is that true? Also, I don't find any references to DIR_WS_HTTP_CATALOG, so that may be from an older codebase.

*
I did find and fix the problem with EasyPopulate. It had hardcoded paths so the oscAdminId was not added to the links.

The lines at .832 should be replaced with these:

<a href="<?php echo tep_href_link("easypopulate.php","download=stream&dltype=full"); ?>">Download <b>Complete</b> tab-delimited .txt file to edit</a><br>
<a href="<?php echo tep_href_link("easypopulate.php","download=stream&dltype=priceqty"); ?>">Download <b>Model/Price/Qty</b> tab-delimited .txt file to edit</a><br>
<a href="<?php echo tep_href_link("easypopulate.php","download=stream&dltype=category"); ?>">Download <b>Model/Category</b> tab-delimited .txt file to edit</a><br>
<a href="<?php echo tep_href_link("easypopulate.php","download=stream&dltype=froogle"); ?>">Download <b>Froogle</b> tab-delimited .txt file</a><br>

Same for all the other links on the page...Works great now...

My other two problems are in Attribute manager once a product is chosen and then Edit is pressed and in Orders, changing the top right Status drop down. I'm guessing it's bad coding now, not a problem in my setup. What do you think?

thanks,
---todd

avibodha
12-01-2005, 12:25 PM
Well, it turns out I was wrong about cookies, they are used in a shared SSL secure admin - if you do them right!

Here's what works:

define('HTTP_SERVER', 'https://secure-domain.com');
define('HTTPS_SERVER', 'https://secure-domain.com');
define('DIR_WS_ADMIN', '/~user/catalog/admin/');

The code in application_top.php:

ini_set('session.cookie_path', DIR_WS_ADMIN);
means that the cookie MUST be set to include your ~user path info for it to work!

Using this, there's no need to change EasyPopulate and now the Order Status change updates perfectly.

Only problem now is the Attribute Manager, Edit product still not working...

avibodha
12-01-2005, 05:47 PM
Here's the problem with Attribute Manager:

The form is using $PHP_SELF for the action.

My server is returning /~admin233/catalog/admin/server_info.php from phpinfo, instead of /mydomain.com/catalog/admin/server_info.php.

So, the Cookie Path is set to /mydomain.com/catalog/admin/ and PHP_SELF returns /~somethingelse/catalog/admin which means that the cookie is not allowed and so we're back at the login page.

Not sure why PHP_SELF isn't returning the correct path...must be something about virtual servers...or maybe related to SSL?

The short-term fix is to use basename() on it for now...everywhere things don't work...

Does anyone else have a PHP_SELF not matching the file system path on a shared server in SSL in admin?

Hope this helps someone else too,
---todd

Cisco
07-03-2006, 12:46 PM
DO you have to a SSL Cert. to make sure that your SSL or HTTPS is working?