Session problems using shared SSL

[NickW]

When I login using the Webmakers login box or via the standard login page the login box correctly disappears and 'log-off' appears on the top menu bar, and the url has changed to that of the shared secure server. But as soon as I navigate elsewhere on the site it thinks I'm logged off.

I've had the osc standard version working ok with the same shared secure server and similar config settings. Settings as follows:

Administration > Configuration > Sessions:

Session Directory = /tmp
Force Cookie Use = False
Check SSL Session ID = True
Check User Agent = False
Check IP Address = False
Prevent Spider Sessions = True
Recreate Session = True

configure settings:

define('HTTP_SERVER', 'http://www.<domain>');
define('HTTPS_SERVER', 'https://dnslinux.co.uk/~<package name>');
define('ENABLE_SSL', true);
define('HTTP_COOKIE_DOMAIN', 'www.<domain>');
define('HTTPS_COOKIE_DOMAIN', 'www.<domain>');
define('HTTP_COOKIE_PATH', '/<catalog dir>/');
define('HTTPS_COOKIE_PATH', '/<catalog dir>/');
define('DIR_WS_HTTP_CATALOG', '/<catalog dir>/');
define('DIR_WS_HTTPS_CATALOG', '/<catalog dir>/');

define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');

If I set ENABLE_SSL to false then the login works ok. Why should the login on the standard MS2 version work ok with shared SSL but MAX doesn't?

[jpf]

Set "force cookie use=true"

[NickW]

I don't think 'force cookies' will work with shared SSL? The osCommerce Knowledge Base document on Security and Privacy at http://www.oscommerce.info/kb/osComm...lementations/4 was helpful.

Quote:

As the cookie is set on the top level domain of the web server, the secured https server must also exist on the same domain.

[michael_s]

Yes, force cookies will not work with shared ssl.

This is most likely a problem with the sessions settings in the admin.

The ssl core code in max and ms2 is identical, so look elsewhere for the problem, like the loginbox or your configuration files and make sure your sessions settings are identical.

[jpf]

Sorry did not see the shared SSL

[NickW]

I don't know if this was the problem but in configure.php I removed the www's in the settings for:

HTTP_SERVER
HTTP_COOKIE_DOMAIN
HTTPS_COOKIE_DOMAIN

( I had http://www.domain.co.uk now I have http://domain.co.uk) and it's working ok now.

Thanks.

[NickW]

The catalogue is working but it asks for another login before going through the checkout, which is as it gets directed to https.

What's the recommended setup for the admin section regarding SSL? For a live standard ocs MS2 store I have changed the href to the orders page to be SSL. For this MAX installation I've removed the www's from the configure.php file and I've added the SSL parameter to the call on function tep_href_link in orders.php for the link on the 'edit' button, but as soon as it goes to https it asks me to login again and then loops back to the orders summary rather than the detail page.

Should therefore the whole of the admin section be directed to https?

[NickW]

The difference between a standard ocs shop I run and the new one with oscMAX is that the login on the standard osc install is via an href link which connects to the shared SSL, where as the Webmakers login box I'm using with the MAX install is on the default homepage and I assumed was not loaded via https. However reading the code if I understand it correctly the loginbox is posting to the login page with an action to process via SSL.

The problem is I don't see why it is requiring a second login at the checkout?

[NickW]

I think it's solved, think it was the cookie paths in the catalog configure.php, I've changed them to include 'http://' as follows:
define('HTTP_COOKIE_DOMAIN', 'http://<domain>.co.uk');
define('HTTPS_COOKIE_DOMAIN', 'http://<domain>.co.uk');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

[NickW]

Although the problem SSL is solved for the catalog, I still have an issue with the Admin section. When I login to the Admin section it automatically uses https and once the login details are transmitted the index page is back to http. When editing orders I want to be using https. For a standard version of osc ms2 I changed the code in the orders page to set the href to use SSL and it worked ok, but with osmax I find that the same amendment causes the system to return to the admin login page.

Can anyone please advise. I've checked the settings in configure.php and they appear to be ok (as standard there is no ref to cookie paths though).