[FIX] SSL link loops -> timeout

Specific Information relating to Version 4.x only
Post Reply
Martin
Site Admin
Site Admin
Posts: 1854
Joined: Wed Jun 17, 2009 6:30 pm
Location: South Yorkshire UK
Contact:

[FIX] SSL link loops -> timeout

Post by Martin »

This one cropped up here:
http://www.interspire.com/forum/showthread.php?t=13676

Version
4.0.x - 4.0.9 (not 5.x)

Symptoms
Every time someone tried to create an account or login or went to any of the pages where the secure part of the site should kick in, it went into a loop that never finished. QED: No customers no sales, lots of tears... :cry:

Cause
The problem is caused by the host apache setup rewriting the [HTTP_HOST] component in the $_REQUEST headers so that it includes the SSL port "443" as a distinct part of the string instead of leaving it under the [SERVER_PORT] header.

The Interspire Shopping Cart code does some checking of the request or posted URL when it thinks it should be secured but unfortunately it assumes that if the host header is not the same as the host component in the $ShopPath configuration variable then it fails.. This includes if there's a port tagged on the end.

The Solution
  1. Take a backup copy of your existing ssl.php file.
  2. Replace the lib/ssl.php file with the one attached.
NB: This file is currently untested but should (hopefully) work...
Attachments
ssl.zip
ssl.php file 4.0.x-4.0.9 (version #1)
(1.68 KiB) Downloaded 870 times

CharlieFoxtrot
Confirmed
Confirmed
Posts: 413
Joined: Sun Aug 09, 2009 1:23 pm

Re: [FIX] SSL link loops -> timeout

Post by CharlieFoxtrot »

Thanks for posting this!

Is this something that I ought to install even if my ISC is not having any of the symptoms that you've described? ~ Well... not that I know of anyway. And my customers would have let me know... they always do! :|

Are the flaws (and the endless loop) caused by an inherent error in ISC? Or... is the error being caused because ISC expects the Apache server to be configured in a specific way (and therefore fails when it encounters something that's not entirely standard)?
ISC 4.0.7

"... and let's be honest that whole "by design" thing is getting old too."

Martin
Site Admin
Site Admin
Posts: 1854
Joined: Wed Jun 17, 2009 6:30 pm
Location: South Yorkshire UK
Contact:

Re: [FIX] SSL link loops -> timeout

Post by Martin »

Are the flaws (and the endless loop) caused by an inherent error in ISC? Or... is the error being caused because ISC expects the Apache server to be configured in a specific way (and therefore fails when it encounters something that's not entirely standard)?
It's poor configuration on the server more than anything... I certainly wouldn't expect a port number to be explicity defined in the URL which is what causes this problem.

You could argue that there's poor sanity checking on Interspire part but in fairness I would never have imagined this problem happening, much less coded for it.

MyAudioDNA
Posts: 4
Joined: Wed Oct 21, 2009 4:05 am

Re: [FIX] SSL link loops -> timeout

Post by MyAudioDNA »

This fix didn't work for me. I'm on Network Solutions hosting. Any other ideas?

Post Reply