When should one use SSL? Customers having trouble with logins.

[JRR]

So, I have a problem with some customers being unable to log in repeatedly - yet I can log into their accounts if I do it via admin, and everything looks fine (shopping cart contains items awaiting resolution).

What I do see though is that SSL is sometimes on and other times off (https: vs http so was wondering if issues with SSL might be causing problems for custom logins. I do not have any credit card operations on the site - use PayPal exclusively for payments so was thinking of turning SSL off to see if that helped with customer login to open existing cart problems.

I see some past discussions that SSL is advised to protect against bad login behaviour, but is that the only reason? the Wiki talks about setting it up, but not WHY one should set it up.

Thanks!

[michael_s]

Why we should be using encryption is beyond the scope of the wiki, but it is to keep prying eyes out of private information. It is so easy to steal personal information over any internet/wifi connection with a packet sniffer. Any 12 year old with a smartphone can watch everything you do. And it is not just the black-hat criminal types you have to be concerned with. What about your competitors who want to steal customers from you? See what your customers are buying, how many customers you have, etc... What about marketing corporations? They are always looking for ways to exploit consumers. Best to always transmit customer information in encrypted form.

If you take any customer information at all, you should be using ssl if for no other reason that customers demand it. Even google uses ssl to encrypt searches now. Privacy is a big issue and plain text exchange of personal information is no longer acceptable.

If you don't use ssl to protect your customer logins and their account pages, you are not meeting basic privacy standards.

[JRR]

Fair enough - I too value my customer privacy - but several customers were having trouble with logging in with SSL active, and when I turned it off one (haven't heard back from anyone else) had no further trouble. What else might be the cause of login issues related to SSL?

Thanks!

[JRR]

OK, turned SSL back on, and asked friendly customer to see what happened. here is his response:

The problem appears to be back now that SSL is turned back on. It just says I'm logged in as guest after I try to login. Do you know if your SSL certificate is alright?

So, any idea what might be happening? The SSL certificate is from a large (Pair.com) provider so I can't see it having a problem.

My website is Flippers Parts Store : and perhaps someone with experience could make a small login and put a few things in a shopping cart, logout and then log back in and see what they think is happening.

Might this be related to a previous post about a bug? With the workaround being:

A quick workaround is to set "Force Cookies" to true in the admin "Sessions" section. Of course if you are using shared ssl, you cannot force cookies. But if you are using a private SSL certificate, turn this on and the problem is cleared up.

It appears that there is a problem with either the session storing in mysql or files (not cookies) where it is not getting updated until you load another non-ssl page.

Thanks!

[michael_s]

This could mean that the cookie domain is incorrect for ssl logins or some other problem with sessions.

Is it a shared ssl cert or private to the domain?

Try turning on "Force Cookies" in the sessions settings in the admin panel.

[JRR]

Thanks Michael, I have already asked for clarification on the SSL certificate and set the "Force Cookies" in admin. And asked customer (friendly) to try again (with "Forced Cookies") and let me know if that worked better. If it does I'll add a note to the wiki...

[JRR]

Forced cookies seemed to fix the problem. Now exactly WHY that fixes the problem would be interesting to know. There is not much info on the sessions setup as far as I can see, nor much on how these interact with the system.

For example, what does "Session Directory" do? The 'explanation' is "If sessions are file based store them in this directory." How does one know if the sessions are file based or not? And what exactly does File Based mean with respect to sessions?

I bought the OscMax e-book you guys sell, but it is impossible to search for anything with the interface on my Mac, so I have given up on it.

[JRR]

Fortunately the internet exists and I could find out about Session Directory myself which I should have done first.

Essentially you normally set the session directory in catalog/includes/configure.php

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

And as a result you do not then set Session Directory in Administrator/Sessions (under oscMax admin/configuration) to anything, although leaving it at /tmp is harmless as configure.php overrides it. It appears that many sites do not have the ability to use temp directories and also having the site store the info in mysql database is safer from a privacy standpoint as well.

Still not sure what or why Force Cookie Use makes the difference, but when I find out I shall post it here - just in case someone else is curious. And update the Wiki too, the best place for this info of course.

[DanDan]

I am having the same problem with an SSL, when it is turned off, the site runs fine. When it is on, someone creating an account is returned to the login page. If I turn it off, a customer is able to create an account. If I turn it on again and try to login, I am returned to the lndex page but now on the secure server (a shared server) but the login box is still asking for the user/pass. If I then click on a category, I am shown the products but I am now on the non-secure server. Adding to the cart and trying to checkout I am asked to sign in again. When I do I am returned to the login page. Thinking this is a config problem, I have tried configuring the config file many different ways. It is now configured like:

define('HTTP_SERVER', 'http://www.domainname.com');
define('HTTPS_SERVER', 'https://secure.servername.com/~houserol');
define('ENABLE_SSL', true);
define('HTTP_COOKIE_DOMAIN', 'www.domainname.com');
define('HTTPS_COOKIE_DOMAIN', 'secure.servername.com/~houserol');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');

This is the way I usually configure other sites and they always run fine.

What am I doing wrong?

Thanks,

Dan

[DanDan]

I uploaded a fresh script under a different domain name to see what happened. The only change I made was to configure the config file. have the same problem. I'm thinking that the server is not configured for OSCMax or that there is a problem with the SSL. What server config would cause this problem? Is something turned off that should be on in the PHP config on the server?

Dan