Temporary Fix for SSL

[Roberto]

SSL is such an important part of this project and the current SSL implementation requires permanently running the store under https which is a drain on server resources. If SSL is turned on without a permanent https force (The way it should be!) users receive annoying notices from the browser. ('page contains both secure and nonsecure items')

I decided to write some code to manage the site swapping from https to http avoiding that pesky message and saving the server resources from encrypting everything.

Please note this is a temporary fix as it's merely catching the https pages before the message displays and redirecting users to the correct http address. A permanent fix would probably involve rewriting much of the base code so that's something for developers to look into.

Place the following code in init.php immediately AFTER the line that begins $protocol = (isset($useSSL)
and BEFORE the line $smarty->assign(array(

if(isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" && $protocol == 'http://' && strpos($_SERVER["REQUEST_URI"],'cart.php') == false) {
   $newurl = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
   header("Location: $newurl");
   exit();
} 
elseif($protocol == 'https://' && isset($_SERVER["HTTPS"]) == false) {
   $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
   header("Location: $newurl");
   exit();
}

[edit 30th Dec 08] : Fixed the issue with ajax cart delete item not working, code updated

Also, if you would like an http page to be under https simply edit the related PHP page placing the following at the top of the file immediately after the opening <?php tag.

$useSSL = true;

[goldleviathan]

Nice! Seems to be working.

[goldleviathan]

I might have spoke too soon before. I have noticed a bug in this fix. If the secure certificate is installed on a http://www. address, the code doesn't work right when trying to delete an item from the shopping cart summary page after you have entered ssl. On my system, it caused a redirect loop error because I have my .htaccess set up to rewrite all http:// to http://www. As for the ajax shopping cart itself, now it's giving me an "ERROR : unable to delete the product" message if you try to delete in SSL mode. If I disable ajax in the backoffice, and add "https://www." to your elseif script above as the $newurl everything works fine. But I would prefer the ajax cart and menu functions to be active. What can be changed to correct this?

[JediMasterCK]

I have not tried this workaround, but, I agree that this SSL problem needs to be fixed by the developers...

[Guest]

I have not tried this workaround, but, I agree that this SSL problem needs to be fixed by the developers...

If its a issue, how can dev guys include this whitout testing!?... Much be fixed asap...

[JediMasterCK]

Okay - I tried the temporary fix and it worked great for Me... Great Job Roberto!

I did not have the Summary Page delete problem because I do not use the "www." in my URLs...

[goldleviathan]

The problem with ssl and "www." in the urls on the cart summary page issue has to do with the way Roberto's temporary fix was written. I was able to fix that by slightly altering his script to include the "www." on the https $newurl portion.

Maybe Roberto can tweak his script to include a wildcard or variable to take the www / non-www issue into account?

But the delete function inside the ajax cart probably has something to do with the way the ajax cart scripts are written themselves. As a work around, I changed the error message in /modules/blockcart/ajax-cart.js to make it look like that function was not available in secure mode. However, I'd really like it to work correctly. I suspect the problem is somewhere in that script (ajax-cart.js).

[Roberto]

goldleviathon,

RE: www. issue
The script assumes that secure and unsecure addresses are identical apart from the http/https bits. Therefore it will only work in the following circumstances;

http://domain.com assumes https://domain.com
http://www.domain.com assumes https://www.domain.com

If either address has a www. prefix and the other doesn't (eg http://domain.com and https://www.domain.com), then pasting in the above script won't work as it only changes the protocol.

For anyone else experiencing this issue;

// EDIT AS FOLLOWS
// change
   $newurl = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
// to
   $newurl = "http://YOUR-UNSECURE-DOMAIN.com" . $_SERVER["REQUEST_URI"];

// change
   $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
// to
   $newurl = "https://YOUR-SECURE-DOMAIN.com" . $_SERVER["REQUEST_URI"];

// REMEMBER TO EDIT THE ABOVE ADDRESSES TO REFLECT YOUR SETUP

Please note, I haven't tested the above but it should be ok.

RE: ajax-cart delete issue
I'll take a look and post a reply if resolved.

Roberto

[Roberto]

I've resolved the ajax cart issue and the delete function now also works under https pages.

For those that are already using the code, replace:

if(isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" && $protocol == 'http://') {

with

if(isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" && $protocol == 'http://' && strpos($_SERVER["REQUEST_URI"],'cart.php') == false) {

For everyone else, I've updated the code in the thread starter.

Roberto

[stampy]

Hi Roberto

Thank you for working for a solution to this - I didn't realise until recently that it was even a problem!

I've tried the code you have written on my site sentientcom . co . uk, but the problem is still there (I tried clearing cache). Does anyone have any ideas on this, or could I have done something wrong (more than likely!).

[reclipse3]

FYI: I just tested your site and it looks like it's working fine.

I've just installed it and it works fine for me as well. Thanks!

Hi Roberto

Thank you for working for a solution to this - I didn't realise until recently that it was even a problem!

I've tried the code you have written on my site sentientcom . co . uk, but the problem is still there (I tried clearing cache). Does anyone have any ideas on this, or could I have done something wrong (more than likely!).

[stampy]

Hi reclipse - thanks for trying that for me. But on Firefox for me I'm still getting the warning padlock on the bottom bar that says Warning:unauthenticated content, and on IE the pop up box warning still appears.

[goldleviathan]

Roberto's updated Dec 30 fix works great for me too. (With Firefox and IE7.) Stampy, I think the problem with your site is that your SSL is installed on sentientcom.co.uk and not www. sentientcom.co.uk You should talk to godaddy about that.

[stampy]

I think I know what the problem is - I have a feedburner feed showing on the pages. I have tried excluding it from the pages that require https, and it almost works!

The feed is using the Addstuff module to display, so I have tried excluding it from the following hooks:

authentification.php, addresses.php, best-sales.php, cart.php, conditions.php, delivery.php, discount.php, init.php, my-account.php, order-confirmation.php, order-detail.php, order-follow.php, order-return.php, order-slip.php, order.php, password.php, secure-payment.php,

So it works when I put something in the basket and it goes to https, but then when I click on next, it goes to authentication.php?back=order.php?step=1 and the feed displays again. If I only want to display it on the Homepage, where do I need to exclude it from?

Thanks for all the help with this.

[1959]

Does this (and Prestashop, really) require the SSL to be keyed with http://www.yourdomain.com instead of http://yourdomain.com?

I'm getting mixed content warnings in IE even after installing this mod and I wonder if it's because my SSL certificate is keyed for http://mydomain.com.

[goldleviathan]

Does this (and Prestashop, really) require the SSL to be keyed with http://www.yourdomain.com instead of http://yourdomain.com?

I'm getting mixed content warnings in IE even after installing this mod and I wonder if it's because my SSL certificate is keyed for http://mydomain.com.

Make sure you do not have content (images, rss feeds, etc) loading from a third party that are unsecured on your ssl pages.

[stampy]

Does this (and Prestashop, really) require the SSL to be keyed with http://www.yourdomain.com instead of http://yourdomain.com?

I'm getting mixed content warnings in IE even after installing this mod and I wonder if it's because my SSL certificate is keyed for http://mydomain.com.

Make sure you do not have content (images, rss feeds, etc) loading from a third party that are unsecured on your ssl pages.

Hi

Yes, that's what I'm trying to do, I've excluded my modules that contain these from the .php files, but it reappers when you get to authentication.php?back=order.php?step=1

[1959]

Make sure you do not have content (images, rss feeds, etc) loading from a third party that are unsecured on your ssl pages.

All the content on the site (images, css, etc) is from within the site. I had installed the links module which used some absolute links (http://mydomain.com/privacty-policy.php) but I removed that and things have improved.

The problem happens when you are in the checkout procedure. If you are checking out (within https pages) and then click one of the category links in the left column, which get rewritten automatically with https, it gives you a "page contains secure and nonsecure items" warning.

You can have a look if you like... http://surfshackbaby.com

[JediMasterCK]

Does this (and Prestashop, really) require the SSL to be keyed with http://www.yourdomain.com instead of http://yourdomain.com?

I'm getting mixed content warnings in IE even after installing this mod and I wonder if it's because my SSL certificate is keyed for http://mydomain.com.

More likely you are loading images/photos in your page with "http" instead of "https"...

[sigmaconcept]

Thank's a lot for your fix, work fine for me.

[flwrgrl]

I can't get this to work no matter what I do.

[rbarrick]

I found that removing google ads from my site corrected the ssl warning.

[flwrgrl]

goldleviathon,

RE: www. issue
The script assumes that secure and unsecure addresses are identical apart from the http/https bits. Therefore it will only work in the following circumstances;

http://domain.com assumes https://domain.com
http://www.domain.com assumes https://www.domain.com

If either address has a www. prefix and the other doesn't (eg http://domain.com and https://www.domain.com), then pasting in the above script won't work as it only changes the protocol.

For anyone else experiencing this issue;

// EDIT AS FOLLOWS
// change
   $newurl = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
// to
   $newurl = "http://YOUR-UNSECURE-DOMAIN.com" . $_SERVER["REQUEST_URI"];

// change
   $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
// to
   $newurl = "https://YOUR-SECURE-DOMAIN.com" . $_SERVER["REQUEST_URI"];

// REMEMBER TO EDIT THE ABOVE ADDRESSES TO REFLECT YOUR SETUP

Please note, I haven't tested the above but it should be ok.

RE: ajax-cart delete issue
I'll take a look and post a reply if resolved.

Roberto

I am unsure as to what to put into the "Server_Name" and the "Request_URI" spaces. Could someone help me? Is it the same as my primary url address??

[Odjavel]

Hi guys,

Well, Roberto's fix works fine, but I have a small issue :

Once logged in, if I click on a link in the My Account block, everything is ok, but if I click on another link (category, tags...), the page is called with a correct https, but redirected to its http version. The links are correct (https), but I cannot stay in https mode while browsing the shop.

Does anybody knows why ?

Thanks

[arowana]

for me firefox works fine, but not IE7 - which i still have the pop up. In IE6, after adding an item to cart, the item disappeared - that happens even before adding this mod. anybody know why ?

[LucieJane]

I have the same problem and Roberto's fix has not resolved it. Check out https://www.sport-xp.com/v2/ for a mixed content error message. I don't have Google adsense or any third party content on the page but I have noticed that the base href in the source code is a http instead of an https, surely that's not right? Could that be causing the error messages?

surfshackbaby, your site seems to be working fine now, what's your secret?

thanx guys
Lucie Jane

[moonmosaic]

I tried the temporary fix for SSL and I had the similar issues.
One was a message about "shopping cart is empty" and the other one was product deleting from cart error.

I replaced the ini.php file with the original but it is still doing the same. The only way to get rid of it is to disable ssl from the back office. I am also getting Webpage Script Errors.

This is the ini.php that might have got messed up somewhere.

<?php

if (!isset($smarty))
exit;

/* Theme is missing or maintenance */
if (!is_dir(dirname(__FILE__).'/themes/'._THEME_NAME_))
die(Tools::displayError('Current theme unavailable. Please check your theme directory name and permissions.'));
elseif (basename($_SERVER['PHP_SELF']) != 'disabled.php' AND !intval(Configuration::get('PS_SHOP_ENABLE')))
$maintenance = true;

ob_start();
global $cart, $cookie, $_CONF, $link;

/* get page name to display it in body id */
$pathinfo = pathinfo(__FILE__);
$page_name = basename($_SERVER['PHP_SELF'], '.'.$pathinfo['extension']);
$page_name = (ereg('^[0-9]', $page_name)) ? 'page_'.$page_name : $page_name;

$cookie = new Cookie('ps');
Tools::setCookieLanguage();
Tools::switchLanguage();
/* attribute id_lang is often needed, so we create a constant for performance reasons */
define('_USER_ID_LANG_', intval($cookie->id_lang));

if (isset($_GET['logout']) OR ($cookie->logged AND Customer::isBanned(intval($cookie->id_customer))))
{
$cookie->logout();
Tools::redirect(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : NULL);
}
elseif (isset($_GET['mylogout']))
{
$cookie->mylogout();
Tools::redirect(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : NULL);
}

$iso = strtolower(Language::getIsoById($cookie->id_lang ? intval($cookie->id_lang) : 1));
@include(_PS_TRANSLATIONS_DIR_.$iso.'/fields.php');
@include(_PS_TRANSLATIONS_DIR_.$iso.'/errors.php');
$_MODULES = array();

$currency = Tools::setCurrency();

if (is_numeric($cookie->id_cart))
{
$cart = new Cart(intval($cookie->id_cart));
$cart->id_lang = intval($cookie->id_lang);
if ($cart->OrderExists())
unset($cookie->id_cart, $cart);
else
{
if ($cookie->id_customer)
$cart->id_customer = intval($cookie->id_customer);
$cart->id_currency = intval($cookie->id_currency);
$cart->update();
}
}

if (!isset($cart) OR !$cart->id)
{
$cart = new Cart();
$cart->id_lang = intval($cookie->id_lang);
$cart->id_currency = intval($cookie->id_currency);
if ($cookie->id_customer)
$cart->id_customer = intval($cookie->id_customer);
}
if (!$cart->nbProducts())
$cart->id_carrier = NULL;

$ps_language = new Language(intval($cookie->id_lang));
setlocale(LC_TIME, strtolower($ps_language->iso_code).'_'.strtoupper($ps_language->iso_code).'@euro',
strtolower($ps_language->iso_code).'_'.strtoupper($ps_language->iso_code), strtolower($ps_language->iso_code));

if (is_object($currency))
$smarty->ps_currency = $currency;
if (is_object($ps_language))
$smarty->ps_language = $ps_language;

$smarty->register_function('dateFormat', array('Tools', 'dateFormat'));
$smarty->register_function('productPrice', array('Product', 'productPrice'));
$smarty->register_function('convertPrice', array('Product', 'convertPrice'));
$smarty->register_function('convertPriceWithoutDisplay', array('Product', 'productPriceWithoutDisplay'));
$smarty->register_function('convertPriceWithCurrency', array('Product', 'convertPriceWithCurrency'));
$smarty->register_function('displayWtPrice', array('Product', 'displayWtPrice'));
$smarty->register_function('displayWtPriceWithCurrency', array('Product', 'displayWtPriceWithCurrency'));
$smarty->register_function('displayPrice', array('Tools', 'displayPriceSmarty'));

$smarty->assign(Tools::getMetaTags(intval($cookie->id_lang)));
$smarty->assign('request_uri', Tools::safeOutput(urldecode($_SERVER['REQUEST_URI'])));

/* Breadcrumb */
$navigationPipe = (Configuration::get('PS_NAVIGATION_PIPE') ? Configuration::get('PS_NAVIGATION_PIPE') : '>');
$smarty->assign('navigationPipe', $navigationPipe);

$protocol = (isset($useSSL) AND $useSSL AND Configuration::get('PS_SSL_ENABLED')) ? 'https://' : 'http://';

$smarty->assign(array(
'base_dir' => __PS_BASE_URI__,
'base_dir_ssl' => (Configuration::get('PS_SSL_ENABLED') ? 'https://' : 'http://').htmlspecialchars($_SERVER['HTTP_HOST'], ENT_COMPAT, 'UTF-8').__PS_BASE_URI__,
/* If the current page need SSL encryption and the shop allow it, then active it */
'protocol' => $protocol,
'img_ps_dir' => _PS_IMG_,
'img_cat_dir' => _THEME_CAT_DIR_,
'img_lang_dir' => _THEME_LANG_DIR_,
'img_prod_dir' => _THEME_PROD_DIR_,
'img_manu_dir' => _THEME_MANU_DIR_,
'img_sup_dir' => _THEME_SUP_DIR_,
'img_ship_dir' => _THEME_SHIP_DIR_,
'img_col_dir' => _THEME_COL_DIR_,
'img_dir' => _THEME_IMG_DIR_,
'css_dir' => _THEME_CSS_DIR_,
'js_dir' => _THEME_JS_DIR_,
'tpl_dir' => _PS_THEME_DIR_,
'modules_dir' => _MODULE_DIR_,
'mail_dir' => _MAIL_DIR_,
'pic_dir' => _THEME_PROD_PIC_DIR_,
'lang_iso' => $ps_language->iso_code,
'come_from' => 'http://'.htmlspecialchars($_SERVER['HTTP_HOST'], ENT_COMPAT, 'UTF-8').htmlentities($_SERVER['REQUEST_URI']),
'shop_name' => Configuration::get('PS_SHOP_NAME'),
'cart_qties' => intval($cart->nbProducts()),
'cart' => $cart,
'currencies' => Currency::getCurrencies(),
'id_currency_cookie' => intval($currency->id),
'currency' => $currency,
'languages' => Language::getLanguages(),
'logged' => $cookie->isLogged(),
'page_name' => $page_name,
'customerName' => ($cookie->logged ? $cookie->customer_firstname.' '.$cookie->customer_lastname : false)));
?>



Any help would be appreciated! Thank you.

[davidtnb]

I am getting this error when I come outside of the order page (happens on the order-confirmation.php page)

http://img19.imageshack.us/img19/9144/orderconfirmationwarnin.jpg

[Mephivio]

Hi guys,

The fix works well for me with Google Chrome 1.x &2;.x, Firefox 3.x but i have still thse (stupid) warning messages under Internet Explorer 8 !
Any idea ?
cheers,

[Andrew H]

With this fix and by removing the RSS feed for Social Networking icons, the SSL problem disappeared in IE8. After wasting a day yesterday trying to (unsuccessfully) install version 1.2 I decided instead to fix all the problems I'm having with version 1.1 !

Does anyone know how to modify the Block RSS2.0 v0.3 so that it is SSL compatible ?

thanks
Andrew