Post by akiller » Sat Jan 30, 2010 3:04 am

To date this has only been tested on OpenCart v1.3.4 and v1.4.0 using Apache on Windows and Linux, but due to its simple implementation it is likely to work on previous and future versions too (via manually editing the files rather than using the ones them from the archive).

It would obviously be great to have it implemented into the main branch of OpenCart, after being hacked to death by more experienced PHP programmers of course :).

I've included diff patches in the archive if you want to compare the changes - there are only 10 lines of code added or modified across all files though!


Installation
Either use the files in the 'Modified Files' folder (with the exception of the configuration and diff files) or install it manually as explained below.

Modified Files
/system/engine/url.php
/system/library/session.php
/config.php
/index.php


URL Class Changes (/system/engine/url.php)
It's probably easier to just replace this file than for me to detail it here. It will detect whether you are using a shared SSL configuration and if so append your current session ID to the URL when switching between non-secure and secure links.

A new Boolean function isSSL() has also been added to the bottom which also allows you to test for SSL in your controllers using $this->url->isSSL() should you require it for something else.

Find:

Code: Select all

public function http($route) {
	return HTTP_SERVER . 'index.php?route=' . str_replace('&', '&', $route);
Replace with:

Code: Select all

public function http($route) {
	return HTTP_SERVER . 'index.php?route=' . str_replace('&', '&', $route) . ((HTTPS_IS_SHARED_SERVER == 1 && $this->isSSL()) ? '&sid=' . session_id() : '');
Next, find:

Code: Select all

if (HTTPS_SERVER != '') {
	$link = HTTPS_SERVER . 'index.php?route=' . str_replace('&', '&', $route);
Replace with:

Code: Select all

if (HTTPS_SERVER != '') {
	$link = HTTPS_SERVER . 'index.php?route=' . str_replace('&', '&', $route) . ((HTTPS_IS_SHARED_SERVER == 1 && !$this->isSSL()) ? '&sid=' . session_id() : '');
Finally, before the final } add:

Code: Select all

public function isSSL() {
	return (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? true : false;
}

Session Class (/system/library/session.php)
This class now accepts an optional session ID as a parameter to allow OpenCart to manually specify what it should be so that we can it can keep the same ID between the non-secure and secure sites.

Find:

Code: Select all

public function __construct() {
Replace with:

Code: Select all

public function __construct($sid = null) {
Next, before the lines:

Code: Select all

session_set_cookie_params(0, '/');
session_start();
Add:

Code: Select all

if (strlen($sid = preg_replace('/[^a-zA-Z0-9\s]/', '', $sid)) > 0)
	session_id($sid);

Index File Changes (/index.php)
Here we simply read the session ID from the URL if we've been given it and pass it to the session class to use.

Find:

Code: Select all

$session = new Session();
Replace with:

Code: Select all

$session = (isset($request->get['sid'])) ? new Session($request->get['sid']) : new Session();

Configuration File Changes (/config.php)

Find:

Code: Select all

define('HTTPS_IMAGE', 'https://127.0.0.1/opencart/image/');
Add after:

Code: Select all

define('HTTPS_IS_SHARED_SERVER', '1');
It's also worth pointing out you must set the HTTPS_SERVER and HTTPS_IMAGE variables to that of your shared SSL address too.

I did originally modify the configuration to allow different paths to the non-secure and secure files, but having tested it on a live site it seems they are the same; if anyone needs this I can re-add it.



How it Works
It's essentially a very simple approach. Whenever a link exists which will transfer a user from a non-secure to a secure URL (i.e. from viewing a product to adding it to your basket) the URL includes the user's session ID (sid) within the query string; this is done automatically with modifications to /system/engine/url.php.

If the user is now on the secure domain all other HTTPS links will omit this session ID parameter because it is assumed to have already been saved by PHP and avoids cluttering up the URLs.

URLs leading back to the non-secure domain will include the session ID (this ensures a users' sessions will stick if they access the site using the HTTPS address initially); but likewise once at the non-secure domain all links to other non-secure URLs will omit the session ID.
TL;DR: The session ID parameter will be used every time a link takes you between a secure and non-secure URL to ensure your session data persists :).

With the intention of this being added to the main release of OpenCart, setting 'HTTPS_IS_SHARED_SERVER' to 0 (or anything other than 1) in the configuration file assumes you are using a proper SSL certificate and so bypasses appending the session ID - as if this mod never existed.



Security Information
Whilst searching for information on Shared SSL support on the OpenCart forums I did find some posts from Daniel stating that Shared SSL support has not yet been included because of the security issues.

Whilst I admit I'm not completely proficient in the ins-and-outs of PHP security I don't believe this modification has any security flaws which aren't already present in sessions or OpenCart itself.

Yes it does allow users to modify the URL and set any session ID they want (the input is however escaped to alpha-numeric characters only); but this is nothing which can't already be achieved by editing your browser's cookies. Infact, if you set non-alphanumeric characters in the cookie PHP will generate a warning which if not turned off will reveal the location of OpenCart on your server.

If you use Firefox install the 'Add N Edit Cookies' extension (https://addons.mozilla.org/en-US/firefox/addon/573) and you can change your PHP Session ID cookie (called PHPSESSID as standard) to whatever you want. Anyone who is looking to break into your site will likely already know about this anyway.

I assume a more secure approach would be for OpenCart to store session IDs in the database and validate them against users' IP addresses or other such check.



The length of this post feels like my dissertation all over :o.

Attachments

OpenCart Shared SSL Certificate Support


Newbie

Posts

Joined
Thu Jan 07, 2010 7:51 am

Post by Qphoria » Sat Jan 30, 2010 3:28 am

Awesome!

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Distoriton » Sat Jan 30, 2010 8:42 am

Great! Thank you very much O0

Newbie

Posts

Joined
Tue Oct 20, 2009 9:21 am

Post by Vmal » Sun May 09, 2010 7:30 am

I have applied the Shared SSL as prescribed in this post but i am getting the following error:

Warning: Header may not contain more than a single header, new line detected. in /home/housep6/public_html/system/engine/controller.php on line 22. I believe it may have something to do with the url.php but am not sure. Here is the link to the page to reproduce the error https://secure70.inmotionhosting.com/~h ... a4e4cf0da1" onclick="window.open(this.href);return false; Click on the continue button to reproduce the error. I am using Opencart 1.3.4 for this site.

All help is welcomed.

Virgal

New member

Posts

Joined
Fri Nov 06, 2009 12:26 am

Post by akiller » Sun May 09, 2010 8:30 am

Hi Vmal,

I don't see any errors on the link so this might mean you have already fixed it.

If you're still having the problem then you could try putting:

Code: Select all

echo "<pre>"; var_dump(debug_backtrace());
In protected function redirect($url) { (/system/engine/controller.php) (before exit();) and seeing what that produces - it should lead you to the part which is erroring. Post the output here if you need help.

Newbie

Posts

Joined
Thu Jan 07, 2010 7:51 am

Post by Vmal » Sun May 09, 2010 10:02 am

Since I am not a programmer everything I do is guess work and a lot of trial and error. So trying to figure this out will take weeks for me.

Here is the return.

Warning: Header may not contain more than a single header, new line detected. in /home/housep6/public_html/system/engine/controller.php on line 22

array(5) {
[0]=>
array(7) {
["file"]=>
string(62) "/home/housep6/public_html/catalog/controller/account/login.php"
["line"]=>
int(19)
["function"]=>
string(8) "redirect"
["class"]=>
string(10) "Controller"
["object"]=>
object(ControllerAccountLogin)#24 (6) {
["error:private"]=>
array(0) {
}
["id:protected"]=>
NULL
["template:protected"]=>
NULL
["children:protected"]=>
array(0) {
}
["data:protected"]=>
array(0) {
}
["output:protected"]=>
NULL
}
["type"]=>
string(2) "->"
["args"]=>
array(1) {
[0]=>
&string(77) "https://
secure70.inmotionhosting.com/~housep6/index.php?route=account/create"
}
}
[1]=>
array(5) {
["function"]=>
string(5) "index"
["class"]=>
string(22) "ControllerAccountLogin"
["object"]=>
&object(ControllerAccountLogin)#24 (6) {
["error:private"]=>
array(0) {
}
["id:protected"]=>
NULL
["template:protected"]=>
NULL
["children:protected"]=>
array(0) {
}
["data:protected"]=>
array(0) {
}
["output:protected"]=>
NULL
}
["type"]=>
string(2) "->"
["args"]=>
array(0) {
}
}
[2]=>
array(4) {
["file"]=>
string(49) "/home/housep6/public_html/system/engine/front.php"
["line"]=>
int(42)
["function"]=>
string(20) "call_user_func_array"
["args"]=>
array(2) {
[0]=>
&array(2) {
[0]=>
&object(ControllerAccountLogin)#24 (6) {
["error:private"]=>
array(0) {
}
["id:protected"]=>
NULL
["template:protected"]=>
NULL
["children:protected"]=>
array(0) {
}
["data:protected"]=>
array(0) {
}
["output:protected"]=>
NULL
}
[1]=>
string(5) "index"
}
[1]=>
&array(0) {
}
}
}
[3]=>
array(7) {
["file"]=>
string(49) "/home/housep6/public_html/system/engine/front.php"
["line"]=>
int(24)
["function"]=>
string(7) "execute"
["class"]=>
string(5) "Front"
["object"]=>
object(Front)#18 (2) {
["pre_action:protected"]=>
array(1) {
[0]=>
object(Router)#21 (3) {
["class:protected"]=>
string(14) "common/seo_url"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["error:protected"]=>
object(Router)#23 (3) {
["class:protected"]=>
string(15) "error/not_found"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["type"]=>
string(2) "->"
["args"]=>
array(1) {
[0]=>
object(Router)#22 (3) {
["class:protected"]=>
string(13) "account/login"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
}
[4]=>
array(7) {
["file"]=>
string(35) "/home/housep6/public_html/index.php"
["line"]=>
int(138)
["function"]=>
string(8) "dispatch"
["class"]=>
string(5) "Front"
["object"]=>
object(Front)#18 (2) {
["pre_action:protected"]=>
array(1) {
[0]=>
object(Router)#21 (3) {
["class:protected"]=>
string(14) "common/seo_url"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["error:protected"]=>
object(Router)#23 (3) {
["class:protected"]=>
string(15) "error/not_found"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["type"]=>
string(2) "->"
["args"]=>
array(2) {
[0]=>
object(Router)#22 (3) {
["class:protected"]=>
string(13) "account/login"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
[1]=>
object(Router)#23 (3) {
["class:protected"]=>
string(15) "error/not_found"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
}
}


Hope you can make since of it.

Virgal

New member

Posts

Joined
Fri Nov 06, 2009 12:26 am

Post by akiller » Sun May 09, 2010 10:47 pm

Hmm, I'm not too sure to be honest.

Try replacing your url.php with this one:
http://pastebin.com/Jh0kDKiX" onclick="window.open(this.href);return false;

Note that this is from 1.3.4 but as far as I'm aware it's the same in the later versions - keep a backup of your URL.php just incase.

Let me know how it goes.

Newbie

Posts

Joined
Thu Jan 07, 2010 7:51 am

Post by Vmal » Tue May 11, 2010 12:28 am

Comes back with the same return. Here is the code in the controller.php that it is having issue with.

Code: Select all

	protected function redirect($url) {
		header('Location: ' . str_replace('&', '&', $url));
		exit();
I am not sure way this would be an issue. I know it has something to do with the SSL because it was not an issue until I pointed the cart to the SSL server.

Virgal

New member

Posts

Joined
Fri Nov 06, 2009 12:26 am

Post by akiller » Tue May 11, 2010 1:20 am

What version of OpenCart do you have? It might just be broke with later versions. Let me know and I'll install them and take a look.

Newbie

Posts

Joined
Thu Jan 07, 2010 7:51 am

Post by Vmal » Tue May 11, 2010 2:22 am

I am using OpenCart 1.3.4 for this site.

New member

Posts

Joined
Fri Nov 06, 2009 12:26 am

Post by Vmal » Tue May 11, 2010 2:35 am

Is this a possible solution


SSL Problems with images in IE

Postby carha43 » Thu May 06, 2010 10:03 am
Hi to all,

first i want tell that my english is not the best. :-)

Many people have problems with SSL. We use opencart 1.4. and we also had problems with the encrypting of images in IE and so on. We found a way to fix this problems.

SSL for Admin area:

1.) Open config.php from the Admin area.

Search for:

// HTTP
define('HTTP_SERVER', 'http://www.domain.de/admin/');
define('HTTP_CATALOG', 'http://www.domain.de/');
define('HTTP_IMAGE', 'http://www.domain.de/image/');

// HTTPS
define('HTTPS_SERVER', 'http://domain.de:12345/admin/');
define('HTTPS_IMAGE', 'http://domain.de:12345/image/');

and change to:

// HTTP
define('HTTP_SERVER', 'http://www.domain.de/admin/');
define('HTTP_CATALOG', 'http://www.domain.de/');
define('HTTP_IMAGE', 'http://www.domain.de/image/');

// HTTPS
define('HTTPS_SERVER', 'https://domain.de:12345/admin/');
define('HTTPS_IMAGE', 'https://domain.de:12345/image/');

We use a Shared-SSL Certificate and we do not have an own IP and this is why we need the port for SSL (domain.de:12345). Take also a look to your certificate you need www. in front of your https domain or not.

Save and upload the config.php.

2.) Then point to system-->settings-->server in the admin area and set SSL to YES. Then save the settings.

Now your admin area runs with SSL.

SSL for Store Front:

1.) Open index.php in root folder and search for (around line 50):

define('HTTP_SERVER', $config->get('config_url'));
define('HTTP_IMAGE', HTTP_SERVER . 'image/');

if ($config->get('config_ssl')) {
define('HTTPS_SERVER', 'https://' . substr($config->get('config_url'), 7));
define('HTTPS_IMAGE', HTTPS_SERVER . '/image/');
} else {
define('HTTPS_SERVER', HTTP_SERVER);
define('HTTPS_IMAGE', HTTP_IMAGE);
}

IE shows for https:/// (3 slashes) and in front of /image/ IE show //image/ (2 slashes). This is why we take away one slash for https: inside the index.php and the slash in front of image/. Now it looks like this:

define('HTTP_SERVER', $config->get('config_url'));
define('HTTP_IMAGE', HTTP_SERVER . 'image/');

if ($config->get('config_ssl')) {
define('HTTPS_SERVER', 'https:/' . substr($config->get('config_url'), 7));
define('HTTPS_IMAGE', HTTPS_SERVER . 'image/');
} else {
define('HTTPS_SERVER', HTTP_SERVER);
define('HTTPS_IMAGE', HTTP_IMAGE);
}

Save and upload the index.php to your root folder.

Now point to system-->general and set your Store-Url to https://domain.de:12345" onclick="window.open(this.href);return false; (with or without the port. like you need it.) Then save your changes.

Now your Store Front runs also with SSL and all works wonderful.#

We tested this with IE, Firefox and Opera (newest) and we do not have any problems.

It is maybe not the best way, but it is a way. :-) You can take a look to the shop http://www.hammerbad.de/shopsystem/" onclick="window.open(this.href);return false; and test it.

Carsten from
http://www.webkonzept.org" onclick="window.open(this.href);return false;

New member

Posts

Joined
Fri Nov 06, 2009 12:26 am

Post by akiller » Wed May 12, 2010 5:47 am

Hmm, I don't think that would help.

Could you post the define('HTTPS_SERVER and HTTPS_IMAGE sections from your configuration file? (make sure you check for passwords before posting it) - I wonder if it's got a newline there at all. I could just be reading the stack wrong or the formatting got broke on the forums:

Code: Select all

&string(77) "https://
secure70.inmotionhosting.com/~housep6/index.php?route=account/create"

Newbie

Posts

Joined
Thu Jan 07, 2010 7:51 am

Post by xaldafax » Tue Aug 31, 2010 1:18 pm

Hello...

I am on Version 1.4.8 and I noticed that there is no url.php file... Does someone have an updated hack for the Shared SSL support?

I really need to get this to work and am in a situation where I cannot get a single SSL cert because it requires a separate IP and I must stay on a shared domain at this point... So anything that people can give me to help get shared SSL working would be great...

Newbie

Posts

Joined
Fri Aug 27, 2010 11:09 am

Post by jty » Sat Sep 04, 2010 1:24 pm

Hello xaldafax, have you figured it out yet
If you haven't figured it out, i'm thinking ......... I have been able to use the above code to pass a sid from domain to domain for another reason (not shared SSL) on 1.4.8.b and 1.4.9

The concept is simply to enable open cart to tag on a sid parameter in the url from site to site to pass on session information. In this context, the sites are the http and the https sites.
But we no longer have url.php. What did url.php do. Looking at it

Code: Select all

((HTTPS_IS_SHARED_SERVER == 1 && $this->isSSL()) ? '&sid=' . session_id() : '');
it looks to me like it first checks to see if shared ssl is set, if it is, then tag on the sid parameter being the session_id.
Looking at it this way, it means to me that I need to find all the places in Open Cart where it moves to SSL, find the link or the code that creates the link and tag on the sid bit to the end of the url link

Code: Select all

? '&sid=' . session_id()
Now that leaves me wondering where to put the function isSSL. As I'm not doing shared SSL, I haven't looked further but I know there's a place cos Daniel's code is easy to learn.

With 1.4.9 [not 1.4.8], you also need to change session/php and startup.php in library
Change the line

Code: Select all

session_set_cookie_params(0, rtrim(dirname($_SERVER['PHP_SELF'])));
back to

Code: Select all

session_set_cookie_params(0, '/');
------------------------
akiller, thank-you soooo much for your post and explaining your code.
I have used it for multi-store with shared cart. Same concept - sharing a cart between domains using a session id
Danke

jty
Active Member

Posts

Joined
Sat Aug 30, 2008 8:19 am

Post by xaldafax » Mon Sep 06, 2010 4:31 am

Hello... thank you for the information.

I plan to try some of your suggestions today. I do admit that it might be hard since I am only a middle level programmer with php.

I wish I was in a different situation but I must find a way to use a shared SSL cert on an existing shared hosting account. I am surprised that the software doesn't support this yet and wish I could provide more help instead of just asking for help. :)

I would have thought that someone used the latest software and got it working with code adjustments.

Newbie

Posts

Joined
Fri Aug 27, 2010 11:09 am

Post by xaldafax » Fri Sep 10, 2010 12:32 am

No luck...

Anyone have full instructions for the latest 1.4.9 build and getting shared SSL to work?

Newbie

Posts

Joined
Fri Aug 27, 2010 11:09 am

Post by witchescupboard » Sat May 14, 2011 5:57 am

I'm a new OC user trying to get my shared SSL to work, and was referred to this post. However, I do not know what changes need to be made to these instructions in order to get it to work with the current version of OC. I'm capable of finding and replacing code successfully (is this really a skill? lol) but I have no clue how to code myself so I'm unable to figure out what mods are necessary. Any help would be appreciated :)


Posts

Joined
Thu May 12, 2011 3:28 am

Post by BMWMaX » Sun May 29, 2011 8:21 pm

I also hope to see a shared ssl solution soon. I'm close to be done with builing my store and ready for testing 1.5.0 but without shared ssl I can and will not make my 1.4.9 store a live version.

Active Member

Posts

Joined
Sat May 21, 2011 3:24 am
Location - Grootebroek

Post by matt1982 » Tue Jun 07, 2011 2:01 am

Would love to see this implemented for later versions. Currently I have a dedicated server and it is costing me an arm and a leg with SSL and IP addresses :D

Are there currently any specific reasons why it is not possible? What are the technical constraints on why it can't be done?

New member

Posts

Joined
Tue Sep 02, 2008 10:52 pm

Post by annelim » Mon Nov 07, 2011 10:43 am

hi developer ,
is there available for v1.5.1.3 ?

Active Member

Posts

Joined
Fri Oct 28, 2011 5:13 pm
Who is online

Users browsing this forum: No registered users and 36 guests