Post by Mark Dyer » Sat Jun 02, 2007 3:33 am

Has anyone managed to have a https server on a different domain to the http..

example

www.mywebsite.com

and www.sharedsslcert.com/mywebsite/

looking at the coding I don't think we can, anyone have any suggestions?

User avatar
New member

Posts

Joined
Thu May 31, 2007 10:07 pm

Post by Daniel » Sat Jun 02, 2007 4:17 am

I noticed this aswell.

A company I previously worked for used a sub domain for there SSL. The problem is the cookie the session sets. You need a cookie domain added in the config for both the http and https.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Qphoria » Sat Oct 18, 2008 9:31 am

This still appears to be an issue using sharedssl in 0.7.9 (and one that is affecting my live store!). I will add it to the to-do list for the next version.
Also, david.gilberts SEO contrib doesn't seem to work when it switches to the shared address
Last edited by Qphoria on Sat Oct 18, 2008 9:34 am, edited 1 time in total.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by bruce » Sat Oct 18, 2008 6:03 pm

As a discussion point...

My 2 cents on shared ssl is that is should be consigned to the "waste of time" list along with database prefixes.

Since the goals of using ssl are to
  •    
  • provide a secure channel of communication
  • give the customer the confidence to use your site with their money.
and shared ssl looks dodgy to the customer. (at least implementations I have seen), the second is not achieved and the money spent is wasted.

An SSL certificate for your actual url is not so expensive as to make the programming and testing effort to support shared ssl worth it.

What does anyone else think?
Last edited by bruce on Sat Oct 18, 2008 9:02 pm, edited 1 time in total.

Active Member

Posts

Joined
Wed Dec 12, 2007 2:26 pm

Post by Qphoria » Sat Oct 18, 2008 8:25 pm

I, personally, am not too cheap to get a $15 cert from godaddy. But it was more of a test to ensure OpenCart can handle it. SharedSSL might not be great, but it should still be a viable option for those that need to use it. It's still better than nothing.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by jty » Tue Nov 11, 2008 10:00 am

Why do people always quote eg $20 for SSL?
When I asked my webhost, I was told I also need a dedicated IP as well as an SSL cert. The dedicated IP is not free so how do we get this $20 concept?
What am I missing here?

jty
Active Member

Posts

Joined
Sat Aug 30, 2008 8:19 am

Post by Qphoria » Tue Nov 11, 2008 11:03 am

$15 cert plus $5 dedicated ip :)

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by jty » Tue Nov 11, 2008 11:05 am

$5 dedicated IP? I was told something like $10-$15/mth for the IP over here
Which now makes it around $200/yr which is a tiny bit more than 20 bucks
Thanks

jty
Active Member

Posts

Joined
Sat Aug 30, 2008 8:19 am

Post by Qphoria » Tue Nov 11, 2008 12:07 pm

hence the reason I'm trying to get OpenCart to work with SharedSSL for those who can't be dishin out cash all over

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by bruce » Tue Nov 11, 2008 12:31 pm

jty wrote: $5 dedicated IP? I was told something like $10-$15/mth for the IP over here
Which now makes it around $200/yr which is a tiny bit more than 20 bucks
Thanks
Even so, if your online business does not have enough potential to make $200/year seem like nothing, what is the point?

You might as well sit in the sun and drink beer instead.  :D

Active Member

Posts

Joined
Wed Dec 12, 2007 2:26 pm

Post by Qphoria » Tue Nov 11, 2008 12:42 pm

my first business started with a $1.95/mo host & sharedssl.
Then I upgraded to a full SSL for $29.99 and dedicated ip i think was $5/mo. Made about $100 that year   :-\

Then that server got really slow so I moved to gazzin.com and paid $6.95 or so for a reseller account
Switched back to sharedssl but then stopped the business and gazzin started getting slow so I left.

Then a year later started a new company on my reseller account with resellerzoom.com for $9.95. Amazingly pulled in about $100k in sales, then the second year I started seeing some server slowness so I upgraded to a $19.95 plan. The second year business went down to about $60k  :'( and now in it's third year I'm about $40k... (but the decline is expected based on the technology now).

Anyway.. I actually ran and still run that business on a sharedssl. I thought about switching to a real SSL but business was booming and I didn't feel the need to change anything.

Now my upgraded resellerzoom account is starting to get slow so I might look for greener pastures. But I'd still like sharedssl for the backup
Last edited by Qphoria on Tue Nov 11, 2008 12:46 pm, edited 1 time in total.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by jty » Tue Nov 11, 2008 3:01 pm

bruce wrote: Even so, if your online business does not have enough potential to make $200/year seem like nothing, what is the point?
Bruce, the point in my situation is that I don't require shared SSL for security reasons. I already pay for an online payment gateway that handles the SSL
However, when that gateway returns to my site, Firefox gives a warning (attached). Read in the context of where they are in the checkout/payment process, the customers can easily think their credit card details are being sent unsecurely.
This is not the case as the data returned is not cc details but we have to cater for "perceptions" as well as truth.
The good news is that it doesn't happen with IE and IE still rules. I knew there was one good thing about IE

jty
Active Member

Posts

Joined
Sat Aug 30, 2008 8:19 am

Post by bruce » Tue Nov 11, 2008 6:24 pm

What payment gateway?
What is the return url?

I have done several payment extensions (ANZ eGate, paypal, 2Checkout) that redirect to secure sites and return to non ssl pages and have not experienced the same problem that you do.

This means there should be a solution that does not require you to unnecessarily hook up to any ssl.
Last edited by bruce on Tue Nov 11, 2008 6:30 pm, edited 1 time in total.

Active Member

Posts

Joined
Wed Dec 12, 2007 2:26 pm

Post by JNeuhoff » Tue Nov 11, 2008 6:35 pm

I noticed similar problems with the shared SSL while testing the GoogleCheckout module.

I don't really need SSL for my stores, because any criticical credit card details and payments are handled on the Google Checkout pages which uses its own SSL anyway. However, when Google sends back messages, e.g. 'payment processed', etc., to OpenCart's callback function, Google always insists on using SSL, even though the messages it sends don't contain any critical details (no credit details, no passwords ). Still, I had to enable shared SSL on my server just for the callback function so as to be able to receive and process the messages coming from Google.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by bruce » Tue Nov 11, 2008 6:46 pm

vote with your feet  ;)

Active Member

Posts

Joined
Wed Dec 12, 2007 2:26 pm

Post by jty » Tue Nov 11, 2008 7:17 pm

The return url is checkout_success

I am not able to show you as their demo doesn't go to SSL
I have contacted them about it but their solution is to use words to explain the situation to the buyer. 11px words are not as dramatic as a Firefox Warning pop-up

Whatever data they are sending back is useless to me but I am not able to change their script.
I tried sending the page back to a shared SSL page but then I encounter the problem of the cart never being cleared as the cart is held in a non-SSL session so an SSL return URL does not clear cart.

Do you know any Australian online gateways that do "manual/offline" credit card processing. I'm looking for a PCI complaint way to do Offline Credit Card
I don't want a dodgy offline payment way that keeps me up all night worrying about people hacking into my database
I also do not want a "real-time" payment gateway as the site is low volume.
Last edited by jty on Wed Nov 12, 2008 1:15 am, edited 1 time in total.

jty
Active Member

Posts

Joined
Sat Aug 30, 2008 8:19 am

Post by bruce » Tue Nov 11, 2008 8:49 pm

So much for me being an expert.  ::)  :-[

The behaviour you are seeing is an optional setting in both browsers mentioned. Coincidentally, I have it turned off in both. You probably only have it turned off in IE. I would have attached a screen shot that includes both IE and Firefox settings dialogs as I have them but "the upload folder is full" on the forum.

It is really annoying that we "need" ssl even for this situation when we don't need it.

Instructions for how to turn off "security" settings in your "how to shop" pages with screen shots of the dialog and comforting words about it not mattering are a poor second choice.

At the end of all this, I would still buy my own certificate for a more professional outcome, just as I have argued earlier.

There are no other Australian alternatives for your specific requirement that I know of and it would not help anyway.

Active Member

Posts

Joined
Wed Dec 12, 2007 2:26 pm

Post by JNeuhoff » Tue Nov 11, 2008 9:05 pm

Whatever data they are sending back is useless to me but I am not able to change their script.
I tried sending the page back to a shared SSL page but then I encounter the problem of the cart never being cleared as the cart is held in a non-SSL session so an SSL return URL does not clear cart.
You could do something like this in your payment process() function before transfering to the payment ePath payment gateway:

Code: Select all

		// Have OpenCart process the order and remove its cart from the session.
		// OpenCart will store it in the database with e.g. a 'Paid Unconfirmed' order status.
		$this->order->process($results['order_status_id']);
		$this->cart->clear();
		....
		// now transfer to the payment gateway
		....
This way your shopping cart is always cleared, regardless of whether the user comes back from the payment gateway or not. You'd still check your ePath account to see whether the customer really made the payment, he may have changed his mind and just didn't proceed with the final payment, so checking your ePath account always is a good idea anyway. You shouldn't rely on customer actually completing the payment on the ePath payment gateway!

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Qphoria » Tue Nov 11, 2008 10:58 pm

Really IE is better here?! but IE is notorious for the "There are both secure and non-secure items on this page" which scared the hell out of my customers

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by jty » Tue Nov 11, 2008 11:59 pm

Qphoria wrote: Really IE is better here?! but IE is notorious for the "There are both secure and non-secure items on this page" which scared the hell out of my customers
Per Bruce, it might be my IE browser settings

This didn't work
// Have OpenCart process the order and remove its cart from the session.
// OpenCart will store it in the database with e.g. a 'Paid Unconfirmed' order status.
$this->order->process($results['order_status_id']);
$this->cart->clear();
....
// now transfer to the payment gateway
....
Conceptually, that is what I want ie write the order first then go off to pay
But I received an error that results is undefined
So I tried just $this->cart->clear();
That also didn't work as it then sent a zero $ amount, presumably because the cart has been cleared
But the interesting thing is that it sent my other variables being the customer name, phone number, email address.

So all I have to figure out now is how to capture the value in $this->order->get('total') to send without cart->clear clearing it out.

Do we have a payment module that writes the order first so I can try and copy it. I copied the Paypal one which writes the order "after" returning.
Last edited by jty on Wed Nov 12, 2008 1:16 am, edited 1 time in total.

jty
Active Member

Posts

Joined
Sat Aug 30, 2008 8:19 am
Who is online

Users browsing this forum: No registered users and 5 guests