[ic] Secure server cart getting dropped.

Ed LaFrance interchange-users@interchange.redhat.com
Sat Feb 23 11:50:01 2002 

At 08:03 AM 2/23/2002 -0700, you wrote:
>When I goto check out there are no items in the cart. I see that a new
>cookie is issued for the secure domain and it is as though I have started a
>new session. There has to be somebody out there running more that one
>customers catalog under the same SSL certificate.
>
>Our file structure is set up as follows.
>/var/www/html/        =  site.with.certificate.com
>var/www/html/customerdomanin.com/  = customerdomain.com
>/var/www/cgi-bin      aliased to all domains
>
>http://www.customerdomain.com/cgi-bin/customerdomain       all is OK here
>but when we go to check out
>
>https://www.site.with.certificate.com/cgi-bin/customerdomain    we get here
>and the cart is dropped.  I do this with other shopping carts and it works
>fine.
>
>SERVER_SOFTWARE = Apache/1.3.14 (Unix) (Red-Hat/Linux7.0) mod_ssl/2.7.1
>OpenSSL/0.9.5a PHP/4.0.4pl1 mod_perl/1.24
>I am using ver 4.8.3 RedHat Interchange
>
>
>I have referred to the information below but have been unable to get it to
>work.
>

[DEL] The following is from the SSL FAQ:


> >     But by far the best way is to have all orders and shopping cart calls
>go
> >     only to the secure domain.  Your users may get a different session
>when
> >     browsing the non-secure catalog pages, but it will matter little.
> >
> >     To do this on the Foundation demo, place in catalog.cfg:
> >
> >             AlwaysSecure  order ord/basket ord/checkout
> >
> > A more complete list might be:
> >
> > AlwaysSecure <<EOF
> > account
> > change_password
> > customerservice
> > login
> > logout
> > new_account
> > ord/basket
> > ord/checkout
> > order
> > process
> > query/check_orders
> > query/order_detail
> > query/order_return
> > returns
> > saved_carts
> > ship_addresses
> >         EOF
> >
> > (Thanks to John Beima for the above list.)
> >     Add pages of your own that need to be sure of coherent
> > session information.

I have set up exactly 1 cart for a client in which the SSL and non-SSL 
domains were different, and after fiddling a bit, I just decided to just 
run the whole site under SSL.  If you (or your client) is unable or 
unwilling to pop $100 bucks or so a year for a cert, this is your reward. 
The only other approach that I know of, and I believe some people who are 
(or were) on this list have tried it, is to set up a central, server-wide 
session file repository, in conjunction with the domain-related directives 
in Interchange.cfg, so that a session can be carried across multiple 
domains if needed.  You are probably going to have to fiddle with the 
source code to get this to work.  Also, there is a wealth of material on 
this subject in the archives; go mining.

Any other ideas, anyone?

- Ed L.



===============================================================
New Media E.M.S.               Software Solutions for Business
463 Main St., Suite D          eCommerce | Consulting | Hosting
Placerville, CA  95667         edl@newmediaems.com
(530) 622-9421                 http://www.newmediaems.com
(866) 519-4680 Toll-Free       (530) 622-9426 Fax
===============================================================