[FIXED] Loss of Info when changing from unsecure to secure site

[iamalive]

Hi

Essentially, when selecting products in the unsecure environment of http:// the basket looses all information when moving to the secure https:// environment to start the payment process.

This happens with a shared SSL. I haven't been able to test with any other kind of SSL.

I raised this issue as BUG 1919 but have had no response. To preempt Mr ARAVOT's reply, all details have been provided to reproduce the bug.
I believe this to be fundamental to shop security- at least my customers want to have a secure environment.

Regards

David

[iamalive]

Hello

A shop which cannot remember the goods selected when changing to a secure site to pay for them, is a shop which will annoy a lot of customers who will probably not go there again.

Why is an issue like this so unimportant that there is no acknowledgement from the developers at all? I am truly trying to be supportive with testing and reporting bugs, but is there actually any point?

I would be very grateful for some kind of hint that there is a point in writing in this forum.

Regards

[jenkinhill]

I cannot reproduce this using the shared SSL on my server. The cart retains all information and the purchase can be completed OK.  My only issue is that the https connection is retained if you go to other pages on the site before closing the browser, but that is a minor and familiar issue.

[iamalive]

I suggest you try it out on the site I'm working on and see if you can spot a difference. It's available at:

http://joomla.neukom-electronic.ch

I'd be interested if you can spot a difference.

The "minor issue you mention, is something I'd also noticed, but, as you say, is not particularly important.

Regards

[iamalive]

I have an update.

In the security tab of the basic configuration, I changed the areas in which the secure link was applied.

Previously, I only had it for the checkout and the account, which seemed to me to be the only areas which need protection.

I now added the "shop" to this list. The effect is, that my problem disappeared, but only because all of the front end of the site is now using the secure link. As soon as I removed the shop from the list, the problem reappeared.

I also updated to the version from the 7th of April, by the way.

Maybe this helps to reproduce the error, but for now, I can live with this version - more importantly, my client can live with this.

Regards

[jenkinhill]

The secure url is a lot different from your shop url. I assume the IP address is the same? It does seem to be related to server configuration, as I have now tried on 3 different severs and all work OK.

[iamalive]

Hmmmm

The secure URL is the shared certificate of the hoster where the site is, so the IP Address should be the same.

As I understand it, this is a common way for people to use a secure site, as not everyone wants or can afford a certificate for their individual use.

I will, however, raise this with the Hoster, who are very helpful and very Joomla oriented. More later...

Regards

[jenkinhill]

Good, can you keep us posted. I know that people on Plesk servers have had problems (see http://forum.virtuemart.net/index.php?topic=38424.0 for help there) and also GoDaddy servers have an unusual shared SSL setup.

[iamalive]

OK - I've asked my Hoster to comment here directly.

In the meantime, I've a new issue. With the latest Build (from the 7th of April) I can only select on Item in the list for the security settings, i.e. only the checkout, for example, but not the account as well!

Mabe you can reproduce this fault, Jenkinhill?

Regards

[novatrend]

Hi

I'm working for NovaTrend, the hosting company which is mentioned above. I think the problem is the following:

The reason the PHP session is lost is because PHP sessions are based on cookies and cookies are only valid at the domain where they were set.

When you add products to the basket you do this with the domain name neukom-electronic.ch, but when you switch to the secure area, the domain is in our case https://secure53.tophost.ch. It's also on a different IP Address, because SSL certificates require dedicated IP addresses, but this is not the problem. The problem is, that we use a different domain name and therefore can not access the session information anymore.

I think the solution would be to handover the session ID when you change the domain name like this:

?PHPSESSID=the_session_id

And then do the following:

if (isset($_REQUEST[PHPSESSID])) {
  session_id($_REQUEST[PHPSESSID]);
}

To be honest, I did not look at the code, but I saw this problem already with other scripts.

If you say you tested it on other servers, I'm really wondering, how this servers are configured. Because it's a big security risk, if scripts on a domain name can access cookie information from other domains...

Regards
Michael Brunner
NovaTrend Services GmbH

[aravot]

Forgot to mention Joomla and VirtueMart version.

[iamalive]

Dear Peter

Please note:

http://forum.virtuemart.net/index.php?topic=38175.msg119425#msg119425

and

http://forum.virtuemart.net/index.php?topic=38175.msg120265#msg120265

[aravot]

I don't know what you are pointing to I see no Joomla version.

[iamalive]

Sadly, all I've ever had from you are statements about the versions. I've also had other put downs from you.

Helping to solve an actual problem,would be really useful. That is something I've never had from you.

However:

I raised this issue as BUG 1919 but have had no response. To preempt Mr ARAVOT's reply, all details have been provided to reproduce the bug.

You could check the Bug list for example.

But to reiterate:

• Joomla 1.5.2
• VirtueMart 1.1 revision 1355_07.04.2008

I have also asked my hoster to provide input on this issue, which he's done. Perhaps you could comment on his input above.

I would be glad to have this issue resolved

Regards

[aravot]

Sadly, all I've ever had from you are statements about the versions. I've also had other put downs from you.
Helping to solve an actual problem,would be really useful. That is something I've never had from you.

Help us to help you, if you gave the required info in the first place you might have got an answer instead of me asking for version number, I had SSL working on my test site perfectly using Joomla 1.0.13 and VirtueMart 1.1 beta2 since than I have not checked SSL because having SSL cost money (SSL certification and static IP) so I didn't renew my SSL certification or static IP on my test site, however I have SSL on my live store, have created a sub-domain to test this but need to know what you are using so I could duplicate it, don't want to install Joomla 1.0.15 when you are using Joomla 1.5 and visa-versa and installing both takes time and effort.

I raised this issue as BUG 1919 but have had no response. To preempt Mr ARAVOT's reply, all details have been provided to reproduce the bug.
You could check the Bug list for example.

After 12 hours of work and 1 hour of commute I don't have the time or the energy to do your work for you, it is very simple; Joomla 1.5.2, VirtueMart 1.1 build 1367, php5.2.3, db 5.0.24