Login Problem (Double Redirect?)

[PanZC2020]

Dear, Zen Cart Communities

===

General Info

Website: http://www.homepromedical.com
Zen Cart Version: 1.5.1
Zen Cart Installed:
20110912 as Ver. 1.3.9h
Upgraded to Ver. 1.5.1 on 20140317
Installed/Updated Method: FTP via FileZilla with zc_install
PHP Version: 5.2.17 (Zend: 2.2.0)
Database: MySQL 5.3.12
HTTP Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_bwlimited/1.4

Installed Mods

COWOA
Sitemap XML
Zen Lightbox
Ultimate SEO
Edit Orders
Ty Package Tracker
Super Orders
Image Handler 4
Customer Tax Exempt v1.30


===

From original topic of - http://www.zen-cart.com/showthread.p...earch-Problems

After I knock myself over the table several times. I compare files on login.php (and other relate files to login), I do think I find there must be something related to "link redirect" problem.

Here is a test.

1. Go to http://homepromedical.com/cart/
2. Go to "Members Area / Log In" link on the top right
3. Click "Sign Up" and proceed to normal account registration
4. After you registered, you will be possibly get auto-logged in and landed into "My Account Information" page. Click "Log Out"
5. You will be landed on "Log Off" page, click on "log back into your account."
6. Now try to relogin.
7. "404 Not Found" appeared...

Side Note: This website is using Shared SSL. Therefore, the SSL pages are having the server hosting's domain instead of the actual website's domain.

---

What I find is this...

Login Page URL

Code:

http://homepromedical.com/cart/index.php?main_page=login

After I logged in, resulted the "404 Not Found" error. URL is... [With session ID attached]

Code:

https://vh15.nethosting.com/cart/index.html?zenid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Press browser's back button, lead to this "Member Area" page. This page is suppose to be load after user logged in.

Code:

https://vh15.nethosting.com/~roni482/cart/index.php?main_page=account&zenid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Log out lead to this log off page.

Code:

https://vh15.nethosting.com/~roni482/cart/index.php?main_page=logoff&zenid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Press "log back into your account" lead to this URL.

Code:

https://vh15.nethosting.com/~roni482/cart/index.php?main_page=login&zenid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---

Now, I try to do something odd...

Try to logging in.

Code:

http://homepromedical.com/cart/index.php?main_page=login

Press STOP (X) loading before the page finish loading. (Pretty much you must press X as soon as you pressed "Enter" to login) This is the URL that it attempted to load...

Code:

https://vh15.nethosting.com/~roni482/cart/index.php?main_page=account&zenid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I find that the redirect URL is proper. However, somehow, there is something wrong on the final step that lead to the STRIP OUT part of URL and lead to the 404 page instead. I'm not exactly sure what is the case leading to this... It seems that there is another redirect before the page finally being display.

I compare the files carefully. It does not related to login.php files since not only it had INITIALLY the proper redirect, but files are NEARLY IDENTICAL (the only differences is the additional codes from COWOA).

Sincerely, PanZC2020 (November 4th, 2014)

[lat9]

Would you post the contents of your /includes/configure.php file, from the HTTP_SERVER to the DIR_WS_HTTPS_CATALOG definitions?

[PanZC2020]

The store's configure.php file (removed comments)...

Code:

define('HTTP_SERVER', 'http://homepromedical.com');
define('HTTPS_SERVER', 'https://vh15.nethosting.com/~roni482');

define('ENABLE_SSL', 'true');

define('DIR_WS_CATALOG', '/cart/');
define('DIR_WS_HTTPS_CATALOG', '/cart/');

Sincerely, PanZC2020 (November 5th, 2014)

[lat9]

What company supplies your web-hosting?

[lat9]

One other thing, is the same behavior exhibited by the site if you temporarily change to use the default/classic template?

Update: It won't. The "Member's Area/Login" link looks like:

Code:

<a href="index.php?main_page=login">Members Area / Log In</a>

implying (to me, at least) that this has been hard-coded in the header code instead of using the zen_href_link function that would have properly generated the https: link to the login page.

[lhungil]

Thank You for using "code" tags when posting the content (really helps out when reading)!

I am seeing a 301 redirect...
Can you temporarily disable "automatic redirects" in Ultimate URLs (and see what happens)?
Can you post the contents of your .htaccess files (in "/" folder and in the "/cart" folder)?


NOTE: If the link is hardcoded instead of using zen_href_link() - this is not recommended and will cause some issues down the road.

[lhungil]

I'm also not seeing the "canonical" tag. This is automatically generated by Zen Cart and will show up unless the theme / template has omitted the code to add this tag.

[PanZC2020]

The hosting is provided by NetHosting - http://www.nethosting.com/

I think I found the problem is related to Ultimate SEO.
I made "Enable automatic redirects?" to FALSE and the login now go back to Homepage instead of 404 page.

However, about the hard coding... It's the template that does that.

This current template layout is from the file called store_template.xtpl in the /cart folder. The company that made this template used the XTPL file as the skeleton layout.

I do think XTPL file is used as PHP XTemplate - http://sourceforge.net/projects/xtpl

On this file, the header section becomes...

Code:

<div id="mainWrapper">
   <div id="headerWrapper">

    <div id="designBannerOneAspire" class="designBanner">
		{DESIGN_BANNER1}
		<p class="phone">800-437-3677</p>
		<p class="address">759 Hicks Street - Brooklyn, NY 11231</p>
	</div>
...

In fact, you can find this code in Google (possibly not intended, but it out there anyways). Just search for "store_template.xtpl."

The DESIGN_BANNER1 is then part of one of SQL table in the database, that looked like the image below...
http://imageshack.com/a/img910/4494/jRA53s.png

(value of "zenid" is actually a bunch of mixed numbers and letters, but I replaced with "xxxx" when taking this PrintScreen.)

The code of interest:

Code:

<a href="index.php?main_page=login">Members Area / Log In</a> - <a href="index.php?main_page=shopping_cart">View Cart</a></td>

So, basically, not only hard code, but also in database.

I had learned about it quite a heck long time now about this XTPL thing. The code in the database able to add the inline CSS or inline JavaScript, but NOT anything like PHP variables or PHP codes. I tried to toss around the "zen_href_link" function with PHP wrapping. Nope, it refused to even render the site.

Personally, I don't like this approach neither. But until I can find good responsive template that can be replace without breaking website out of the water, I will have to keep this template for the time being.

Also, I do think that because of this template mechanism, it does not has any "canonical" tag at all.

(PS. I'm personally not that great when it come to graphic design.)
(PPS. The server's host (and the website's domain) passed the Qualys' SSL Server Test - https://www.ssllabs.com/ssltest/ - with grade of A. Also removed all payment gateway files related to any references of SSLv3.))

Sincerely, PanZC2020 (November 5th, 2014)

[lhungil]

Thank You for confirming you needed to disable "automatic redirects" in Ultimate URLs 2.212 when using a shared SSL certificate (this option is disabled by default in Ultimate URLs 2.212).


You need to fix the theme / template to properly add the "canonical" tag.
When you install a module such as CEON URI, Ultimate URLs, Simple SEO, etc to provide alternative URLs for your website - each page on your site becomes accessible from both the original URLs and the alternative URLs. Because your theme / template fails to add the "canonical" tag, this means search engines (SEs) may see your pages as duplicate content (if the same page is crawled via more than one URL). Normally this is not a huge deal for a brand new site (with no URL history in SEs or customer's browsers). However it can become a problem when the name of a category, product, manufacturer, ez-page, etc are changed (as the URL changes).

You should look into investing in a dedicated SSL certificate.
This allows one to set HTTP_SERVER and HTTPS_SERVER to the same domain name and path. When Zen Cart is configured this way the "automatic redirect" code in Ultimate URLs version 2.212 will work as expected. This would let Ultimate URLs handle automatically generating a 301 when an old URL is requested - properly indicating to SEs the page has moved.

The alternative is to manually add and manage 301 redirects in a .htaccess file (when the names change).

You should update the theme / template to use zen_href_link()
Best Practice is to not hard code internal Zen Cart URLs. Doing so runs a high risk of causing unnecessary redirects (and potentially cause additional issues down the road). Using hard coded URLs also means you will need to manually edit every "HTML snippet" stored in the database with the old URL to update the URLs when they change.

For example, the URL "index.php?main_page=login" should be changed to the correct URL ("https://vh15.nethosting.com/~roni482/cart/index.php?main_page=login").


NOTE: Unless the above recommendations are followed, tasks normally managed automatically on your behalf by Zen Cart will need to be managed instead by hand.