Secure and Unsecure issues

[renewal777]

Hello all, I just recently started creating an online store for my church. Everything has been going great so far due to the vast amount of information available on these forums.

One issue I have encountered, though, is that I can not stay logged onto my account when go from a page that uses SSL to a page that does not. For example: I log into my ZenCart and am loaded into the 'My Account' page (The My Account page uses the SSL url). If I then click on another link such as 'Home' or even a product, it brings me to that page but makes it appear as if I was never logged in. If I click 'Log In' again it brings me to My Account as if I was logged in the entire time. The only difference between pages that keep me logged in and pages that don't is the use of SSL. This is the portion of my configuration.php that I edited to enable SSL:

PHP Code:

<?php
/**
 *
 * @package Configuration Settings
 * @copyright Copyright 2003-2006 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 */


/*************** NOTE: This file is similar, but DIFFERENT from the "admin" version of configure.php. ***********/
/***************       The 2 files should be kept separate and not used to overwrite each other.      ***********/

// Define the webserver and path parameters
  // HTTP_SERVER is your Main webserver: eg, http://www.yourdomain.com
  // HTTPS_SERVER is your Secure webserver: eg, https://www.yourdomain.com
  define('HTTP_SERVER', 'http://renewalofthelordstemple.com');
  define('HTTPS_SERVER', 'https://ssl17.servage.net/renewalofthelordstemple.com');

  // Use secure webserver for checkout procedure?
  define('ENABLE_SSL', 'true');

If you desire, you can goto www.renewalofthelordstemple.com/store and make an account to see this problem in action. I've tested it both in IE and Firefox.

Thanks in advance for any help.

[stevesh]

You have account approval set up, so we can't log in and poke around.

Other than the Login/Create Account page and the Checkout pages, your site shouldn't be secured. It looks like you're using a shared SSL certificate. It may not have been set up properly.

I always recommend a dedicated SSL certificate - they aren't that expensive, and usually will prevent this kind of problem.

[renewal777]

You have account approval set up, so we can't log in and poke around.

Other than the Login/Create Account page and the Checkout pages, your site shouldn't be secured. It looks like you're using a shared SSL certificate. It may not have been set up properly.

I always recommend a dedicated SSL certificate - they aren't that expensive, and usually will prevent this kind of problem.

Well, I disabled account approval sorry about that. And my host gave me this SSL certificate for free...I saw verisign's price was 1K+ a year...

I'd appreciate if you poked around now that you can though

[stevesh]

Turns out I was mistaken about the My Account page - it appears that it is secured, too.

When I add a product to my shopping cart, and then click 'Checkout', i see:

Whoops! Sorry, but you are not allowed to perform the action requested.
You are still logged in to your account and may continue shopping. Please choose a destination from a menu.

I have no idea what that means, but I'm still thinking the SSL certificate is not set up properly.


If you Google 'SSL Certificate", you'll find certs for a lot less than 1K. Never go to Verisign for anything. My host charges $100 a year, and that's high.

You also have the secure/non-secure error showing in IE7 on every page, but I can't tell what is causing it.

[renewal777]

Okay, I'd just hate to invest money into a cert to only find out that it wasn't the issue. But I suppose I don't have much of a choice. Thanks for the help.

[renewal777]

Well it seems you were correct, after getting set up with my own certificate things work great. Thank You Very Much

[renewal777]

I made a thread about this last night, but woke up in the morning to find it gone. If this is in the wrong spot/unwanted please at least PM telling me so. But perhaps there was some freak glitch that made my thread disappear Well anyway...


As per the recommendation of the Zen Cart FAQ and a fellow forum user I bought my own SSL certificate to use for my church's online store ( www.renewalofthelordstemple.com/store --My host is having some issues so unfortunately this page may or may not load for you).

Unfortunately, in IE I receive a warning, when accessing pages such as login and check out, that says "This page has secure and unsecure items...would you like to load the un secure items?" --Not exactly the warning but something along those lines. In FireFox no warning appears, but the little lock has a red line running through it.

Now I have read MANY threads about this, and the ONLY fix I ever saw was tracking down hard coded http:// urls in the code. I've checked my code 100x over and could not find any! My flash banner had a relative address, but in my desperation I made it absolute and used "https://". But still nothing.

I read a good way to find the offending images was to use Firefox's page information utility to see what images do not start with "https://". To my dismay all the Zen Cart images do not begin with "https://" ! In fact my flash banner is now the only secure image. Can anyone point me in the right direction to resolving this?

Sorry for the long post, but thank you for any help in advanced.

P.S. - Once again, I do not know why my original thread disappeared but if a mod is going to delete it could you please PM and tell me?

Thanks!
David.

[colemanpa]

What Mods do you have installed, and just changing the url to https in the scripts does not mean that that url is on a secure server.

Make sure you check the footer.

pete

[renewal777]

I have no mods installed, I've only changed some core files to allow people to enter donation amounts instead of paying fixed prices. And in the footer I'm running a javascript from my host that shows my site is secure in the bottom right hand corner. But that is secure...

Code:

<script type="text/javascript" src="https://siteseal.servage.net/html.php?seal=2"></script>

I just tried removing it, but I still get the issues. Also I've switched my flash banner back to being relative rather then absolute with https://

This is quite frustrating.

[Merlinpa1969]

Well I managed to get in,
Parse Time: 94.601 - Number of Queries: 121 - Query Time: 97.724540222

it happened to open while I was looking at something else before I posted..

If you do a quick search of the forums for your host I beleive this has been dealt with before, ( not sure it was solved but at least talked about )

If memory servers me your host has issues with ssl setups.

did you buy a dedicated ssl or did you buy their shared ssl?

I only ask because the ssl siteseal is produced by your host