Hi there,

I installed osCommerce to a subdir called 'oranje' (translated: orange) and access it with the url http://oranje.urchin.nl/ and http://urchin.secure.powweb.com/oranje/ for secure traffic.

I tweaked it a bit (e.g. installed dutch language pack) and found out that there is a bug in osCommerce, which results in customers not being able to checkout there orders and not being able to login. It appears that this has nothing to do with my tweaking, but is a flaw by design (according to http://forums.oscommerce.com/index.php?showtopic=74717&hl= ).

The errors when trying to checkout occurs in https://urchin.secure.powweb.com/oranje/checkout_success.php?action=update&osCsid=xxx (https://urchin.secure.powweb.com/oranje/checkout_success.php?action=update&osCsid=93562632b9c2f29a80582eba53f35e74) . I added a message to show the notify_string, which appears to be invalid: action=notify¬ify[]=

Logging in shows the same result: page not found (404).

Is there anyone who has had similar problems and managed to fixed them?

Here's my configuration.php:


define('HTTP_SERVER', 'http://oranje.urchin.nl'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://urchin.secure.powweb.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'oranje.urchin.nl');
define('HTTPS_COOKIE_DOMAIN', 'urchin.secure.powweb.com');
define('HTTP_COOKIE_PATH', '/oranje/');
define('HTTPS_COOKIE_PATH', '/secureoranje/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/oranje/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', '/www/u/r/urchin.nl/htdocs/oranje/');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

This is not a flaw in osCommerce. This works fine when properly set up - I have a test store set up this way on PowWeb.

I see that your DIR_WS_CATALOG define is incorrect - it should be /oranje/. HTTPS_COOKIE_PATH is incorrect - it should be /oranje/

Are you using a .htaccess to redirect requests from the top-level folder into /oranje/? I'm not sure how that plays with SSL.

Hi stevel,

You are right: I use a .htaccess to redirect requests from the top-level folder into /oranje/? It only works for http and not for https. I'm able to access other https pages ,e.g. when I register myself as a new customer. Only logging in fails and checking out an order.

The DIR_WS_CATALOG in my opinion should be "/" as the main serverpath is http://oranje.urchin.nl and points directly to the catalog folder.

I'll try the cookiepath you suggested and if that doesn't work, I'll try to remove the .htaccess rewrite for oranje.urchin.nl. See if that helps.

Any other suggestions or info are more than welcome!

The cookie path won't affect this problem - at most it will prevent osC from storing cookies while in SSL mode.

The problem is related to the use of .htaccess - I don't know how this plays with SSL. I did an experiment with a pointed domain and found that error documents for the pointed domain weren't applied when I used https (it used the default from the main domain.)

My recommendation is to either move the store to the top level, or use a redirect (not a rewrite) to get accesses of the top level into your oranje subfolder.

Thank you for your help Steve. But as it seems for now, it isn't related to error-documents not being properly forwarded. The 404-error tricked me into thinking that the error concerns the url appearing in the browser's address-bar. In fact osCommerce tries to load *another* page (redirect from HTTP to HTTPS) which causes the 404-error. Even fooled me for an hour or so ;-)

It appears that osCommerce *assumes* that the catalog is in the same folder for SSL-traffic as for NON-SSL-traffic. When it needs to go from NON-SSL to SSL (e.g. when logging in), it just changes the servername and thinks everything will work just fine. But in NON-SSL-mode my catalog is in the root, when in SSL-mode it resides in the /oranje-directory.

I made a small adjustment and it now works like a charm.

Once again, thanks for your help :)

If anyone ever uses different directorynames for their catalog in HTTP and HTTPS, then look here first: redirect link on checkout success page bug (http://www.oscommerce.com/community/bugs,1429)

No, it doesn't assume. That's what DIR_WS_HTTPS_CATALOG is for. There are some hosts (thankfully NOT PowWeb) which force you to put a copy of SSL content in a separate folder. osC can handle this, if you set it up properly.

I don't believe that the behavior described on that page is a bug. I think it is a misunderstanding.

The only misunderstanding is that osCommerce does *NOT* contain this bug! Other people confirmed this bug on the osCommerce-forum (http://www.oscommerce.com/community/bugs,1429).

Yes, I know there are two catalogdirs (DIR_WS_HTTPS_CATALOG and DIR_WS_HTTP_CATALOG), but they are not used when osCommerce redirects from HTTP to HTTPS.

An example to prove I'm right ;)

normal site: http://oranje.urchin.nl (is internally rewritten to www.urchin.nl/oranje)
secure site: http://urchin.secure.powweb.com/oranje

relevant settings in configure.php


define('HTTP_SERVER', 'http://oranje.urchin.nl');
define('HTTPS_SERVER', 'https://urchin.secure.powweb.com');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/oranje/');

When you want to login it will execute a redirect-script called 'tep_redirect' in 'oranje/includes/functions/general.php'. At one time this script notices that you are using HTTP and needs to redirect to the HTTPS-version of the page. This is the part where it goes wrong.

I don't know how your php-knowledge is, but the following fragment of code shows that it's only replacing the HTTP-servername with the HTTPS-servername: * COMPLETELY IGNORING TO REPLACE THE CATALOG DIRNAME*, because it wrongly assumes that it's the same location, but in my case it isn't. See the line where $url is changed:


////
// Redirect to another page or site
function tep_redirect($url) {
if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page
if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url
$url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL
}
}
header('Location: ' . $url);
tep_exit();
}

Cheers!