Shared SSL + login problem

[drone115b]

using zen-cart v1.3.8a with webhost hostmonster.com

We're trying to engage shared SSL. I've followed instructions, updating the two relevant configuration.php files; however, when SSL is engaged in these files, neither admin nor customers can log in.

Customers logging in get "There was a security error trying to log in." Admin gets a loop, back to the login page.

Sessions are stored in db, and I flushed cookies and all that. This is a new install (new store) but so too I also verified that the appropriate hidden fields are available whenever a password box is drawn (ala https://www.zen-cart.com/tutorials/i...hp?article=312) I am using a custom template, but it does not have tpl_login_default.php files. Almost everything is in the ccs and tpl_header & tpl_footer files. I tried copying those tpl_login php files from the default template into my custom one, and it made no difference.

One person suggested turning off "Recreate Sessions" under Admin->configuration->sessions but this made no difference. I remain using the defaults.

One person indicated that the session.php may be old, but I verified I'm using the correct one (dated 8/12 I believe).

One person suggested sending everything through the https link, not just the secure pages, but everything. This made no difference for me.

Everything seems to be working correctly when SSL is off, but when shared SSL is used, you just can't log in. I noticed that the IP reported at the bottom of the page changes when going through the shared SSL (https://www.hostmonster.com/~username) rather than directly (http://www.username.com/). I wonder whether this invalidates the session information.

I'm out of ideas and I seem to have exhausted everything that google can tell me.

Before someone tell me how foolish I am to be using shared SSL instead of private SSL; I would like to have the answer first why my zen-cart setup does not work. That buys you the right to tell me I'm a fool. Deal?

Please?

[kobra]

Post the top part of your configure.php files
Make certian not to include any sensitive info

[drone115b]

Thanks!

Here is the ~store/include/configure.php
[snip]
[FONT="Courier New"]<?php
/**
* @package Configuration Settings circa 1.3.8
* @copyright Copyright 2003-2007 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
*/


/*************** NOTE: This file is similar, but DIFFERENT from the "admin" version of configure.php. ***********/
/*************** The 2 files should be kept separate and not used to overwrite each other. ***********/

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
define('HTTP_SERVER', 'http://www.secondpeekmaternity.com');
// define('HTTP_SERVER', 'https://www.hostmonster.com/~secondpe'); // mnp 11/24/09 (Shared SSL screw up user sessions, prevent log-in)
define('HTTPS_SERVER', 'https://www.hostmonster.com/~secondpe'); // mnp 11/22/09

// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'false'); // mnp 11/22/09

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
// these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
define('DIR_WS_CATALOG', '/catalogue/');
define('DIR_WS_HTTPS_CATALOG', '/catalogue/');
[/FONT]
[snip]



Here is the ~store/admin/include/configure.php
[snip]
[FONT="Courier New"]<?php
/**
* @package Configuration Settings circa 1.3.8
* @copyright Copyright 2003-2007 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
*/


/*************** NOTE: This file is similar, but DIFFERENT from the "store" version of configure.php. ***********/
/*************** The 2 files should be kept separate and not used to overwrite each other. ***********/

// Define the webserver and path parameters
// Main webserver: eg-http://www.your_domain.com -
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
// HTTP_CATALOG_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_CATALOG_SERVER is your Secure webserver: eg-https://www.your_domain.com
/*
* URLs for your site will be built via:
* HTTP_SERVER plus DIR_WS_ADMIN or
* HTTPS_SERVER plus DIR_WS_HTTPS_ADMIN or
* HTTP_SERVER plus DIR_WS_CATALOG or
* HTTPS_SERVER plus DIR_WS_HTTPS_CATALOG
* ...depending on your system configuration settings
*
* If you desire your *entire* admin to be SSL-protected, make sure you use a "https:" URL for all 4 of the following:
*/
define('HTTP_SERVER', 'http://www.secondpeekmaternity.com');
// mnp 11/24 debugging SSL+login problem define('HTTP_SERVER', 'https://www.hostmonster.com/~secondpe');
define('HTTPS_SERVER', 'https://www.hostmonster.com/~secondpe'); // mnp 11/22/09 define('HTTPS_SERVER', 'https://www.secondpeekmaternity.com');
// mnp 11/24 debugging SSL+login problem define('HTTP_CATALOG_SERVER', 'https://www.hostmonster.com/~secondpe');
define('HTTP_CATALOG_SERVER', 'http://www.secondpeekmaternity.com');
define('HTTPS_CATALOG_SERVER', 'https://www.hostmonster.com/~secondpe'); // mnp 11/22/09 define('HTTPS_CATALOG_SERVER', 'https://www.secondpeekmaternity.com');

// Use secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'false'); // mnp 11/22/09
define('ENABLE_SSL_ADMIN', 'false'); // mnp 11/22/09
[/FONT][snip]

You can see I've turned ENABLE_SSL off for the time being. When engaged, you can't log in. (Users get a failure, admin gets loop back to the login page.)

You can also see I tried the suggestion of using https for http as well.

You can see that http and https are working outside of zencart by following the links. There is a temp page in place for the time being.

Thanks for advice.

[runningrhino]

I have the same issue.

[jinglezdj]

I have a slightly different issue, in my config file at the moment SSL is turned off. However if I turn SSL on when a customer tries to login the system creates a link like this:

HTTPS://www.mydomainname.co.uk/HTTPS...mainname.co.uk

I use 1and1 for my hosting and use a shared certificate which when installed zencart I entered the correct details which are:

define('DIR_WS_HTTPS_CATALOG', 'https://sslrelay.com/mydomainname.co.uk/shop/');

I don't understand why the system is trying to put the standard HTTP domainname first.

Top of my config file is below:


/*************** NOTE: This file is similar, but DIFFERENT from the "admin" version of configure.php. ***********/
/*************** The 2 files should be kept separate and not used to overwrite each other. ***********/

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
define('HTTP_SERVER', 'http://www.mydomainname.co.uk');
define('HTTPS_SERVER', 'https://www.mydomainname.co.uk');

// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'false');

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
// these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
define('DIR_WS_CATALOG', '/shop/');
define('DIR_WS_HTTPS_CATALOG', 'https://sslrelay.com/mydomainname.co.uk/shop/');

[drone115b]

To jinglezdj:

I don't think you are intended to use DIR_WS_HTTPS_CATALOG in that way. I think that var should only be a relative path, not the full http(s) path. The full path HTTPS_SERVER is concatenated with the relative path DIR_WS_HTTPS_CATALOG to produce the result you are seeing.

In my config you can see a "correct" relative path for DIR_WS_HTTPS_CATALOG. I say it is correct because I did not futz with it - not because I have a website that works. :-I

[drone115b]

Hi All.

Bouncing around the forums for 2 days, I was able to find this:
http://www.zen-cart.com/forum/showthread.php?t=15081
from many moons ago.

This seems to imply that $request_type variable may be involved in the cross wires, causing the login woes I described - shared SSL with hostmonster is not allowing admin or customers to login correctly.

In files:
includes/init_includes/init_file_db_names.php
admin/include/init_includes/init_file_db_names.php

on line 18, $request_type gets set with a long hairy expression.

I tried the simple fix of putting this kind of logic:
if server == mydomain request_type = NONSSL
if server == hostmonster request_type = SSL
under the existing line 18 (and I turned on SSL in admin/include/configure.php and include/configure.php) and I did not immediately meet with success.

But to one of the Zen-cart developers:
Can you at least tell me whether this is a plausible path to pursue? Should I go through the effort of decoding all the logic on line 18 and compounding it with (server== mine | shared) logic so that my admin and customers can log in using shared SSL?

Thanks

[drone115b]

[Got no help, upgraded all to private SSL]