[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

[ic] Secure server cart getting dropped.

Subject: [ic] Secure server cart getting dropped.
From: interchange-users@interchange.redhat.com (Andrew McBeath)
Date: Sun Feb 24 18:30:00 2002
References: <Pine.LNX.4.33.0202222037210.21781-100000@hub1.idk-enterprises.com> <5.1.0.14.0.20020223084114.01dbd298@mail.newmediaems.com>

Ed LaFrance wrote:

> 
> I have set up exactly 1 cart for a client in which the SSL and 
> non-SSL  domains were different, and after fiddling a bit, I just 
> decided to just  run the whole site under SSL.  If you (or your 
> client) is unable or  unwilling to pop $100 bucks or so a year for a 
> cert, this is your reward.  The only other approach that I know of, 
> and I believe some people who are  (or were) on this list have tried 
> it, is to set up a central, server-wide  session file repository, in 
> conjunction with the domain-related directives  in Interchange.cfg, so 
> that a session can be carried across multiple  domains if needed.  You 
> are probably going to have to fiddle with the  source code to get this 
> to work.  Also, there is a wealth of material on  this subject in the 
> archives; go mining.
> 
> Any other ideas, anyone?

I've had a pretty good play with carrying session data between differing 
domains, and gotten it working fine...(functionality-wise...security is 
another issue). 
Without patching the source, I found the 'add to cart' links on the 
product pages from the vertical category menu's did not come under the 
directive for securing the cart (ord/cart in the AlwaysSecure directive 
section), and to putting scan into that list kinda had some unforeseen 
consequences...(I quickly abandoned that road) - I changed the bar_link 
subroutine in catalog_before.cfg to use a secure link and this fixed the 
above problem...but then meant a large portion of the site ran under SSL 
unnecessarily slowing the server down (impact depending on specs of course)

I then patched bin/interchange to detect when the session changes 
(RESOLVEID block and associated session stuff just above it) and just 
copy the old session data into the new session file and then called 
get_session()... not very pretty but i was just playing with a proof of 
concept more than anything else...
[NOTE] Doing this on a production server would be somewhat short of a 
good idea: think through all the implications very carefully. Do 
yourself a favour and find a way to get a cert for your domain[/NOTE]  ;-)

Oh yeah, I was using:
   Apache 1.3.23
   modssl 2.8.6
   interchange 4.8.3

   catalog domain: shop.domain1.co.nz
   ssl domain:    secure.domain2.com  -

- Not real domains...  I just chucked them in my hosts file with my own 
ip :-)

I tried all Mike's suggestions, but they didnt work for domains which 
were so wildly different - I agree with Ed: this is your reward for not 
shelling out for a cert, or for using a setup which cant provide another 
ip...

Cheers,

Andrew McBeath
System Admin / Senior Developer
Zeald Ltd
ICQ: 53879543
Ph: +64 9 415 7575
Mob: +64 21 434104

References:
- [ic] Secure server FAQs [monthly posting]
  - From: interchange-users@interchange.redhat.com (Jim Balcom)
- [ic] Secure server cart getting dropped.
  - From: interchange-users@interchange.redhat.com (Ed LaFrance)

Prev by Date: [ic] discount strange problem
Next by Date: [ic] Unknown error 134518495
Previous by thread: [ic] Secure server cart getting dropped.
Next by thread: [ic] Secure server FAQs [monthly posting]
Index(es):
- Date
- Thread