I have a Drupal 7 site with uc_ssl. When I go to checkout it switches http to https, but then I get an access denied and I'm logged out.

Any ideas?

Comments

crystaldawn’s picture

This issue is covered in the front page of this module as well as on the admin page for the module. The reason is because your SSL domain name and the Non-SSL domain name differ from each other and drupal is treating them as separate websites. This is more or less an RFC standards issue than a technical issue. Drupal is correct to ask you to login again. This issue exists in both the 7.x and the 6.x version.

There are a couple work arounds that I know of.

1. Dont use mixed SSL mode.
2. Use the same exact domain name for both SSL and Non-SSL
3. Custom code the cookie from non-SSL site to be transfered to the SSL site.

rickmanelius’s picture

Apologies for not looking at the project page/help. I 99% of the time use the issue queue as the main source of debugging and missed the glaringly obvious. Thanks and I'll try these out!

rickmanelius’s picture

What's confusing to me is that I have a Drupal 6 site running on the exact same server and it's had no problems... but on the one we did the D7 upgrade, this is happening. I can force https but I don't want to if I don't have to.

Would the best place to look be the htaccess file as per #65890: Shared SSL support??

crystaldawn’s picture

What are the settings you are using in the D6 for the SSL and Non-SSL domains vs that of what the D7 install has? As far as I know, the SSL cookie issue exists in both D6 and D7. It's not an issue related to uc_ssl nor secure pages even. It CAN be setup to work, but in order to do so you have to have intimate knowledge of both of the setups and to do that generically would be very cumbersome and add a lot of uneeded overhead to everyone else's installs. I have long contemplated creating a completely separate module that would be called something like SSL Cookie Sharing that would do this work on it's own so that both SP and UC_SSL could use it, but whenever I bring this up, it's always shot down in IRC by the security guys who see that as a security threat somehow. I dont see why myself, but according to the security gurus in #drupal its a bad idea. This often times leaves shared hosting people in the cold and their answer to that is: That is exactly what it's meant to do. The whole point is to force people to get environments that dont have so many fingers in the pot.

handsolo’s picture

Hello,

Need some help, I have installed uc_ssl on drupal 6 and all works well, info passes between http and https.

with drupal 7 i had an issue where anonymous users were not able to go from cart to cart/checkout - they would get stuck at cart.

I added $conf['https'] = TRUE; to the settings.php file and it fixed the issue and anonymous users are able to go from cart to cart/checkout

the problem now is that if you login you cannot go to checkout or admin/store (https) you get automatically logged out.

is this an issue with others as well or could it be my server configuration?? I am a bit lost here - your help is appreciated.

regards

satter9’s picture

I am having the same issue. Any ideas? I cannot go from cart to checkout in D7 when the SSL switcher is enabled.

chadwick wood’s picture

I'm having the same issues as well. Anonymous users can't get to cart/checkout (it redirects a couple of times and you end up back at cart), and when I'm logged in I get an Access Denied page when I try to go to an Ubercart admin page. My http/https domains are the same, so it's not that.

wiherek’s picture

To fix redirect from cart to checkout: you need to add this line to settings.php:
$conf['https'] = TRUE;
The problem with redirecting back to http pages still exists, however only on Boost cache-enabled pages. Anonymous users going from /cart/checkout to frontpage get the https version. that doesn't happen while redirecting to other pages.

nyleve101’s picture

This is issue only disappeared for me when I added $conf['https'] = TRUE; to my setting.php too.

gkricheldorf’s picture

I'm unable to get the redirect working either. My https and http domains are the same and I have added the $conf['https'] = True; to my settings.php (under sites>default) and have the non-SSL switch enabled.

I can even get my site to load in https by manually tying it in the browser with Ubercart SSL active. It redirects it to http, but when Ubercart SSL is disabled I can access my site with https.

If anyone has some input I would appreciate it.

Running Drupal 7.14
Ubercart 3.1

nyleve101’s picture

OK, so although the addition of $conf['https'] = TRUE; solved my redirect issue I have now noticed that I cannot install a module via the D7 interface. Clicking the install button redirects me to the homepage rather than installing the module.

Is anyone else coming across this?

nyleve101’s picture

crystaldawn’s picture

Status: Active » Fixed

Hmm, I could have sworn I had fixed this issue but I noticed today that the issue still existed in a site I was working on. I've fixed it (again lol) and have uploaded the fix as and added a new release. Mixed SSL mode now works properly again in D7 and no longer requires the https = on config setting. It also now forces you to log in via https when using ssl. This is because D7 http cookie values are NOT compatible with https. So what would happen is if you logged in via http (something my sites dont actually do and I never noticed this issue because all my sites had /user secured) and then you went to an https url, you would get logged out. But if you did it in reverse, logged in via https and then went to a http url, everything worked just fine. So I've incorporated /user as one of the default secured urls to help people solve this problem. I didnt realize so many people were having this issue. It's my fault for not having /user as a default secured path I guess. So, sorry for the long delay in getting this fixed.

You can DL the new release here: http://ftp.drupal.org/files/projects/uc_ssl-7.x-1.02.tar.gz

crystaldawn’s picture

Status: Fixed » Closed (fixed)
ak0073’s picture

hi;
got the alphaSSL and everything is working fine until I installed the uc ssl and switching it on in admin. it ask me relogin. after the relogin I can't seem to do anything as all my admin menu are gone. pls help. thanks

pls take a look at my site. onearmrobot.com any help is appreciated.

Thanks again