Results 1 to 10 of 10
  1. #1
    Junior Member
    Join Date
    Jan 2007
    Posts
    6

    Default secure vs. non-secure issues in Miva5

    I am not 100% certain I have configured my store properly and need some assistance. I have been trying to finalize my upgrade to MivaMerchant5. In IE when switching to a secure part of the store (such as checking out or logging in) I get numerous pop-ups relating to insecure items. I think the issue is somewhere in my link to graphics; although all my links are relative links (using miva merchant soft paths) if I select "NO" to the security pop-ups none of my images will display. I have set up the MivaMerchant links to use

    http://www.uneed-a-uniform.com/mm5/merchant.mvc?

    on the non-secure side, and

    https://SSL4.westserver.net/uneed-a-.../merchant.mvc?

    for the secure side; for secure graphics the baseref is:

    https://SSL4.westserver.net/uneed-a-uniform.com/mm5/

    while the baseref for the non-secure graphics is simply

    http://www.uneed-a-uniform.com/mm5/

    I have looked through all of my code trying to find any absolute references that may be causing issues and cannot find any that have not been adjusted.

    A link to the (new off line ) store is:

    http://www.uneed-a-uniform.com/mm5/merchant.mvc?

    Any thoughts, comments, assistance will be appreciated.

  2. #2
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,720

    Default

    For some reason your base herf is not being set right.
    HTML Code:
    <base href="http://www.uneed-a-uniform.com/mm5/">
    I am not a miva user but I would look into the template that controls your header.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  3. #3
    Junior Member
    Join Date
    Jan 2007
    Posts
    6

    Default

    Thanks, that is what I am trying to figure out: Either what should the code look like in the templates (I cannot find anything different in the Miva examples on their site), or do I have something incorrect in the Miva setup strings (that I show in my initial post)?

    I'll keep searching and trying things...

  4. #4
    Senior Member rispku's Avatar
    Join Date
    Mar 2005
    Posts
    143

    Default

    Check to make sure you haven't hardcoded any base URLs into your templates/pages. Also, double check your domain settings to make sure they're correct. I would re-enter and save them just to be sure.

    I had a similar problem--with the exact opposite effect--when I first used Merchant on Westhost. See this post: https://forums.westhost.com/showthread.php?p=26781. My problem was related to an Apache directive instructing the server to initiate a secure connection for any request containing 'merchant.mvc' in the URL. This caused MM to set the base URL to my secure address, and load all of my graphics through the secure server. Can you post the contents of the miva.conf file I referenced in the aforementioned post?
    Last edited by rispku; 01-25-2007 at 01:40 PM.

  5. #5
    Junior Member
    Join Date
    Jan 2007
    Posts
    6

    Default

    rispku:

    Thanks for your thoughts, I will check out that thread shortly.

    As for further clues, we discovered late yesterday that the base href generated by Miva seems to be following whatever is entered in the domainsettings/siteconfig/secure GRAPHICS baseurl and sets the base href for every page (whether it should be secure or not) to that setting. In other words, it doesn't matter what the non-secure or secure Miva base url is set to, the pages generated by Miva are somehow using the setting for non-secure graphics (this can be set to either an http:// or https:// location, I have tried it both ways).

    At this moment I have the non-secure graphics base url pointing to:

    https://ssl4.westhost.com/uneed-a-uniform.com/mm5/

    Unfortunately this slows down the loading of the site but at least I don't see all the security warnings in IE and the lock symbol is displayed.

    I'll go check out the thread and do some digging and report back here. I also have an agenda this morning to pitch my boss for a dedicated SSL cert, maybe getting one of those will help alleviate some fo these hassles.

    Thanks again,

    pm

  6. #6
    Junior Member
    Join Date
    Jan 2007
    Posts
    6

    Default

    Rispku,

    OK, just checked, everything is already as you suggested in that thread.

    And I think I was just shot down (again) on a dedicated ssl cert.

    Thanks again, I'm still open to thoughts and suggestions...

    pm

  7. #7
    Junior Member
    Join Date
    Jan 2007
    Posts
    6

    Default

    Sorry, here is the miva.conf file:

    AddType application/x-httpd-Miva .mv
    AddType application/x-miva-compiled .mvc
    Action application/x-miva-compiled /cgi-bin/mivavm
    Action application/x-httpd-Miva /cgi-bin/miva

    #SetEnvIf Request_URI admin\.mvc HTTPS=on
    #SetEnvIf Request_URI admin\.mv HTTPS=on
    #SetEnvIf Request_URI merchant\.mvc HTTPS=on
    #SetEnvIf Request_URI merchant\.mv HTTPS=on





    # BEGIN MIVA 5 INSTALL
    SetEnv MvCONFIG_DIR_MIVA /var/www/html
    SetEnv MvCONFIG_DIR_DATA /usr/home/uneed-a-uniform/htsdata
    SetEnv MvCONFIG_DIR_BUILTIN /usr/local/miva/lib/builtins
    SetEnv MvCONFIG_DIR_CA /usr/local/miva/certs
    SetEnv MvCONFIG_SSL_OPENSSL /var/www/html/mm5/openssl/lib/libssl.so
    SetEnv MvCONFIG_SSL_CRYPTO /var/www/html/mm5/openssl/lib/libcrypto.so
    SetEnv MvCONFIG_DATABASE_MySQL /usr/local/miva/lib/databases/mysql.so

    SetEnv MvCONFIG_COMMERCE_CyberCash /usr/local/lib/mivalibs/cybercash.so
    SetEnv MvCONFIG_COMMERCE_AuthorizeNet /usr/local/lib/mivalibs/authnet.so
    SetEnv MvCONFIG_COMMERCE_LinkPoint /usr/local/lib/mivalibs/linkpoint.so
    SetEnv MvCONFIG_COMMERCE_UPSRSS /usr/local/lib/mivalibs/upsrss.so
    SetEnv MvCONFIG_COMMERCE_ICS2 /usr/local/lib/mivalibs/ics2.so
    SetEnv MvCONFIG_COMMERCE_GlobalCommerce /usr/local/lib/mivalibs/globcomm-linux.so
    # END MIVA 5 INSTALL

  8. #8
    Senior Member rispku's Avatar
    Join Date
    Mar 2005
    Posts
    143

    Default

    Okay, you should force WestHost support to resolve this issue for you. If your domain settings are correct, and there aren't any Apache directives changing the environmental variables, then it should be working.

    I've never used MM5 on Westhost, so I'm not familiar enough with the peculiarities in running it in their hosting environment, but I HAVE seen MM5 stores on Westhost using their shared secure server. By all means, it should be working for you, too.

    You don't need to purchase a dedicated cert to test whether or not it will make a difference. You can use the self-signed cert that's generated for you when you install (or configure) OpenSSL from the control panel. You'll still get a security pop-up regarding the authenticity of the cert, but you'll at least be able to see if it works properly with MM5.

    By the way, you should uncomment the SetEnvIf statement that examines requests for 'admin.mvc'. Working securely in the admin area doesn't seem to work properly unless that line is present and enabled. (From my experiences, at least.)

    Code:
    #SetEnvIf Request_URI admin\.mvc HTTPS=on
    should look like this:
    Code:
    SetEnvIf Request_URI admin\.mvc HTTPS=on
    Then, restart your VPS/Apache.

  9. #9
    Senior Member rispku's Avatar
    Join Date
    Mar 2005
    Posts
    143

    Default

    Apparently, you already have the temp/self-signed cert installed. If you load your site using the secure address it's configured for, https://www.uneed-a-uniform.com/mm5/merchant.mvc?, you'll see that it uses the proper secure base url.

    So, it would seem that getting a dedicated cert would resolve this issue for you. However, I think this shows that there must be some sort of misconfiguration in the server settings. I would still recommend you have Westhost look into this issue, especially if you still want to use the shared secure server.

  10. #10
    Junior Member
    Join Date
    Jan 2007
    Posts
    6

    Default

    Rispku,

    Thanks for taking the time to think about this. I will be coming back to this shortly, but for now I am trying to just get a few things fine tuned as we had to turn the store live. I agree that there is something awry in some config setting somewhere but I need to brush way up on my apache stuff before I get too lost in .htaccess and http.conf files.

    Again, thanks and I will post any findings here.

    --pm

Similar Threads

  1. SCP Secure Copy Protocol
    By wildjokerdesign in forum General Discussion
    Replies: 7
    Last Post: 04-25-2007, 09:09 AM
  2. PHP as CGI, and what version of PHP is most secure?
    By MatthewHSE in forum PHP / MySQL
    Replies: 2
    Last Post: 09-07-2006, 01:28 PM
  3. Secure Server
    By ccwebb in forum General Discussion
    Replies: 13
    Last Post: 06-14-2006, 08:02 AM
  4. Perl obsolete??? security issues???
    By Alejandro in forum CGI Scripts / Perl
    Replies: 4
    Last Post: 11-11-2003, 01:28 PM
  5. Shopping Carts 101 - A basic primer
    By gbanse in forum E-commerce
    Replies: 2
    Last Post: 09-23-2003, 10:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •