Shared SSL Support (1.3.4 and 1.4.0)

To date this has only been tested on OpenCart v1.3.4 and v1.4.0 using Apache on Windows and Linux, but due to its simple implementation it is likely to work on previous and future versions too (via manually editing the files rather than using the ones them from the archive).

It would obviously be great to have it implemented into the main branch of OpenCart, after being hacked to death by more experienced PHP programmers of course .

I've included diff patches in the archive if you want to compare the changes - there are only 10 lines of code added or modified across all files though!


Installation
Either use the files in the 'Modified Files' folder (with the exception of the configuration and diff files) or install it manually as explained below.

Modified Files
/system/engine/url.php
/system/library/session.php
/config.php
/index.php


URL Class Changes (/system/engine/url.php)
It's probably easier to just replace this file than for me to detail it here. It will detect whether you are using a shared SSL configuration and if so append your current session ID to the URL when switching between non-secure and secure links.

A new Boolean function isSSL() has also been added to the bottom which also allows you to test for SSL in your controllers using $this->url->isSSL() should you require it for something else.

Find: Replace with: Next, find: Replace with: Finally, before the final } add:
Session Class (/system/library/session.php)
This class now accepts an optional session ID as a parameter to allow OpenCart to manually specify what it should be so that we can it can keep the same ID between the non-secure and secure sites.

Find: Replace with: Next, before the lines: Add:
Index File Changes (/index.php)
Here we simply read the session ID from the URL if we've been given it and pass it to the session class to use.

Find: Replace with:
Configuration File Changes (/config.php)

Find: Add after: It's also worth pointing out you must set the HTTPS_SERVER and HTTPS_IMAGE variables to that of your shared SSL address too.

I did originally modify the configuration to allow different paths to the non-secure and secure files, but having tested it on a live site it seems they are the same; if anyone needs this I can re-add it.



How it Works
It's essentially a very simple approach. Whenever a link exists which will transfer a user from a non-secure to a secure URL (i.e. from viewing a product to adding it to your basket) the URL includes the user's session ID (sid) within the query string; this is done automatically with modifications to /system/engine/url.php.

If the user is now on the secure domain all other HTTPS links will omit this session ID parameter because it is assumed to have already been saved by PHP and avoids cluttering up the URLs.

URLs leading back to the non-secure domain will include the session ID (this ensures a users' sessions will stick if they access the site using the HTTPS address initially); but likewise once at the non-secure domain all links to other non-secure URLs will omit the session ID.
TL;DR: The session ID parameter will be used every time a link takes you between a secure and non-secure URL to ensure your session data persists .

With the intention of this being added to the main release of OpenCart, setting 'HTTPS_IS_SHARED_SERVER' to 0 (or anything other than 1) in the configuration file assumes you are using a proper SSL certificate and so bypasses appending the session ID - as if this mod never existed.



Security Information
Whilst searching for information on Shared SSL support on the OpenCart forums I did find some posts from Daniel stating that Shared SSL support has not yet been included because of the security issues.

Whilst I admit I'm not completely proficient in the ins-and-outs of PHP security I don't believe this modification has any security flaws which aren't already present in sessions or OpenCart itself.

Yes it does allow users to modify the URL and set any session ID they want (the input is however escaped to alpha-numeric characters only); but this is nothing which can't already be achieved by editing your browser's cookies. Infact, if you set non-alphanumeric characters in the cookie PHP will generate a warning which if not turned off will reveal the location of OpenCart on your server.

If you use Firefox install the 'Add N Edit Cookies' extension (https://addons.mozilla.org/en-US/firefox/addon/573) and you can change your PHP Session ID cookie (called PHPSESSID as standard) to whatever you want. Anyone who is looking to break into your site will likely already know about this anyway.

I assume a more secure approach would be for OpenCart to store session IDs in the database and validate them against users' IP addresses or other such check.



The length of this post feels like my dissertation all over .

Awesome!

Great! Thank you very much

I have applied the Shared SSL as prescribed in this post but i am getting the following error:

Warning: Header may not contain more than a single header, new line detected. in /home/housep6/public_html/system/engine/controller.php on line 22. I believe it may have something to do with the url.php but am not sure. Here is the link to the page to reproduce the error https://secure70.inmotionhosting.com/~h ... a4e4cf0da1" onclick="window.open(this.href);return false; Click on the continue button to reproduce the error. I am using Opencart 1.3.4 for this site.

All help is welcomed.

Virgal

Hi Vmal,

I don't see any errors on the link so this might mean you have already fixed it.

If you're still having the problem then you could try putting: In protected function redirect($url) { (/system/engine/controller.php) (before exit();) and seeing what that produces - it should lead you to the part which is erroring. Post the output here if you need help.

Since I am not a programmer everything I do is guess work and a lot of trial and error. So trying to figure this out will take weeks for me.

Here is the return.

Warning: Header may not contain more than a single header, new line detected. in /home/housep6/public_html/system/engine/controller.php on line 22

array(5) {
[0]=>
array(7) {
["file"]=>
string(62) "/home/housep6/public_html/catalog/controller/account/login.php"
["line"]=>
int(19)
["function"]=>
string(8) "redirect"
["class"]=>
string(10) "Controller"
["object"]=>
object(ControllerAccountLogin)#24 (6) {
["error:private"]=>
array(0) {
}
["id:protected"]=>
NULL
["template:protected"]=>
NULL
["children:protected"]=>
array(0) {
}
["data:protected"]=>
array(0) {
}
["output:protected"]=>
NULL
}
["type"]=>
string(2) "->"
["args"]=>
array(1) {
[0]=>
&string(77) "https://
secure70.inmotionhosting.com/~housep6/index.php?route=account/create"
}
}
[1]=>
array(5) {
["function"]=>
string(5) "index"
["class"]=>
string(22) "ControllerAccountLogin"
["object"]=>
&object(ControllerAccountLogin)#24 (6) {
["error:private"]=>
array(0) {
}
["id:protected"]=>
NULL
["template:protected"]=>
NULL
["children:protected"]=>
array(0) {
}
["data:protected"]=>
array(0) {
}
["output:protected"]=>
NULL
}
["type"]=>
string(2) "->"
["args"]=>
array(0) {
}
}
[2]=>
array(4) {
["file"]=>
string(49) "/home/housep6/public_html/system/engine/front.php"
["line"]=>
int(42)
["function"]=>
string(20) "call_user_func_array"
["args"]=>
array(2) {
[0]=>
&array(2) {
[0]=>
&object(ControllerAccountLogin)#24 (6) {
["error:private"]=>
array(0) {
}
["id:protected"]=>
NULL
["template:protected"]=>
NULL
["children:protected"]=>
array(0) {
}
["data:protected"]=>
array(0) {
}
["output:protected"]=>
NULL
}
[1]=>
string(5) "index"
}
[1]=>
&array(0) {
}
}
}
[3]=>
array(7) {
["file"]=>
string(49) "/home/housep6/public_html/system/engine/front.php"
["line"]=>
int(24)
["function"]=>
string(7) "execute"
["class"]=>
string(5) "Front"
["object"]=>
object(Front)#18 (2) {
["pre_action:protected"]=>
array(1) {
[0]=>
object(Router)#21 (3) {
["class:protected"]=>
string(14) "common/seo_url"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["error:protected"]=>
object(Router)#23 (3) {
["class:protected"]=>
string(15) "error/not_found"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["type"]=>
string(2) "->"
["args"]=>
array(1) {
[0]=>
object(Router)#22 (3) {
["class:protected"]=>
string(13) "account/login"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
}
[4]=>
array(7) {
["file"]=>
string(35) "/home/housep6/public_html/index.php"
["line"]=>
int(138)
["function"]=>
string(8) "dispatch"
["class"]=>
string(5) "Front"
["object"]=>
object(Front)#18 (2) {
["pre_action:protected"]=>
array(1) {
[0]=>
object(Router)#21 (3) {
["class:protected"]=>
string(14) "common/seo_url"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["error:protected"]=>
object(Router)#23 (3) {
["class:protected"]=>
string(15) "error/not_found"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
["type"]=>
string(2) "->"
["args"]=>
array(2) {
[0]=>
object(Router)#22 (3) {
["class:protected"]=>
string(13) "account/login"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
[1]=>
object(Router)#23 (3) {
["class:protected"]=>
string(15) "error/not_found"
["method:protected"]=>
string(5) "index"
["args:protected"]=>
array(0) {
}
}
}
}
}


Hope you can make since of it.

Virgal

Hmm, I'm not too sure to be honest.

Try replacing your url.php with this one:
http://pastebin.com/Jh0kDKiX" onclick="window.open(this.href);return false;

Note that this is from 1.3.4 but as far as I'm aware it's the same in the later versions - keep a backup of your URL.php just incase.

Let me know how it goes.

Comes back with the same return. Here is the code in the controller.php that it is having issue with.
I am not sure way this would be an issue. I know it has something to do with the SSL because it was not an issue until I pointed the cart to the SSL server.

Virgal

What version of OpenCart do you have? It might just be broke with later versions. Let me know and I'll install them and take a look.

I am using OpenCart 1.3.4 for this site.

Is this a possible solution


SSL Problems with images in IE

Postby carha43 » Thu May 06, 2010 10:03 am
Hi to all,

first i want tell that my english is not the best. :-)

Many people have problems with SSL. We use opencart 1.4. and we also had problems with the encrypting of images in IE and so on. We found a way to fix this problems.

SSL for Admin area:

1.) Open config.php from the Admin area.

Search for:

// HTTP
define('HTTP_SERVER', 'http://www.domain.de/admin/');
define('HTTP_CATALOG', 'http://www.domain.de/');
define('HTTP_IMAGE', 'http://www.domain.de/image/');

// HTTPS
define('HTTPS_SERVER', 'http://domain.de:12345/admin/');
define('HTTPS_IMAGE', 'http://domain.de:12345/image/');

and change to:

// HTTP
define('HTTP_SERVER', 'http://www.domain.de/admin/');
define('HTTP_CATALOG', 'http://www.domain.de/');
define('HTTP_IMAGE', 'http://www.domain.de/image/');

// HTTPS
define('HTTPS_SERVER', 'https://domain.de:12345/admin/');
define('HTTPS_IMAGE', 'https://domain.de:12345/image/');

We use a Shared-SSL Certificate and we do not have an own IP and this is why we need the port for SSL (domain.de:12345). Take also a look to your certificate you need www. in front of your https domain or not.

Save and upload the config.php.

2.) Then point to system-->settings-->server in the admin area and set SSL to YES. Then save the settings.

Now your admin area runs with SSL.

SSL for Store Front:

1.) Open index.php in root folder and search for (around line 50):

define('HTTP_SERVER', $config->get('config_url'));
define('HTTP_IMAGE', HTTP_SERVER . 'image/');

if ($config->get('config_ssl')) {
define('HTTPS_SERVER', 'https://' . substr($config->get('config_url'), 7));
define('HTTPS_IMAGE', HTTPS_SERVER . '/image/');
} else {
define('HTTPS_SERVER', HTTP_SERVER);
define('HTTPS_IMAGE', HTTP_IMAGE);
}

IE shows for https:/// (3 slashes) and in front of /image/ IE show //image/ (2 slashes). This is why we take away one slash for https: inside the index.php and the slash in front of image/. Now it looks like this:

define('HTTP_SERVER', $config->get('config_url'));
define('HTTP_IMAGE', HTTP_SERVER . 'image/');

if ($config->get('config_ssl')) {
define('HTTPS_SERVER', 'https:/' . substr($config->get('config_url'), 7));
define('HTTPS_IMAGE', HTTPS_SERVER . 'image/');
} else {
define('HTTPS_SERVER', HTTP_SERVER);
define('HTTPS_IMAGE', HTTP_IMAGE);
}

Save and upload the index.php to your root folder.

Now point to system-->general and set your Store-Url to https://domain.de:12345" onclick="window.open(this.href);return false; (with or without the port. like you need it.) Then save your changes.

Now your Store Front runs also with SSL and all works wonderful.#

We tested this with IE, Firefox and Opera (newest) and we do not have any problems.

It is maybe not the best way, but it is a way. :-) You can take a look to the shop http://www.hammerbad.de/shopsystem/" onclick="window.open(this.href);return false; and test it.

Carsten from
http://www.webkonzept.org" onclick="window.open(this.href);return false;

Hmm, I don't think that would help.

Could you post the define('HTTPS_SERVER and HTTPS_IMAGE sections from your configuration file? (make sure you check for passwords before posting it) - I wonder if it's got a newline there at all. I could just be reading the stack wrong or the formatting got broke on the forums:

Hello...

I am on Version 1.4.8 and I noticed that there is no url.php file... Does someone have an updated hack for the Shared SSL support?

I really need to get this to work and am in a situation where I cannot get a single SSL cert because it requires a separate IP and I must stay on a shared domain at this point... So anything that people can give me to help get shared SSL working would be great...

Hello xaldafax, have you figured it out yet
If you haven't figured it out, i'm thinking ......... I have been able to use the above code to pass a sid from domain to domain for another reason (not shared SSL) on 1.4.8.b and 1.4.9

The concept is simply to enable open cart to tag on a sid parameter in the url from site to site to pass on session information. In this context, the sites are the http and the https sites.
But we no longer have url.php. What did url.php do. Looking at it it looks to me like it first checks to see if shared ssl is set, if it is, then tag on the sid parameter being the session_id.
Looking at it this way, it means to me that I need to find all the places in Open Cart where it moves to SSL, find the link or the code that creates the link and tag on the sid bit to the end of the url link Now that leaves me wondering where to put the function isSSL. As I'm not doing shared SSL, I haven't looked further but I know there's a place cos Daniel's code is easy to learn.

With 1.4.9 [not 1.4.8], you also need to change session/php and startup.php in library
Change the line back to ------------------------
akiller, thank-you soooo much for your post and explaining your code.
I have used it for multi-store with shared cart. Same concept - sharing a cart between domains using a session id
Danke

Hello... thank you for the information.

I plan to try some of your suggestions today. I do admit that it might be hard since I am only a middle level programmer with php.

I wish I was in a different situation but I must find a way to use a shared SSL cert on an existing shared hosting account. I am surprised that the software doesn't support this yet and wish I could provide more help instead of just asking for help.

I would have thought that someone used the latest software and got it working with code adjustments.

No luck...

Anyone have full instructions for the latest 1.4.9 build and getting shared SSL to work?

I'm a new OC user trying to get my shared SSL to work, and was referred to this post. However, I do not know what changes need to be made to these instructions in order to get it to work with the current version of OC. I'm capable of finding and replacing code successfully (is this really a skill? lol) but I have no clue how to code myself so I'm unable to figure out what mods are necessary. Any help would be appreciated

I also hope to see a shared ssl solution soon. I'm close to be done with builing my store and ready for testing 1.5.0 but without shared ssl I can and will not make my 1.4.9 store a live version.

Would love to see this implemented for later versions. Currently I have a dedicated server and it is costing me an arm and a leg with SSL and IP addresses

Are there currently any specific reasons why it is not possible? What are the technical constraints on why it can't be done?

hi developer ,
is there available for v1.5.1.3 ?