Sorry if this is the wrong issue queue for this. There's quite a few components here so I really have no idea where the problem lies. I posted to the Aegir group but haven't received a response, so I'm guessing it's time for a proper support request in the issue queue. You can see my post here: http://groups.drupal.org/node/44214

So I have SSL installed and working, mostly. When I log in I have to log in twice. Once for the http site once for the https site. Then when I log out, I get "access denied." As an anonymous user I cannot add products to the cart. It simply says "Your cart is empty." There are more details in the group post linked to above.

This is my config file for the ssl site:

# SSL configuration for Aegir site
# Note that this file is not managed by Aegir
<VirtualHost [mydedicatedip]:443>
    RewriteEngine On
    SSLEngine On
    ServerAdmin webmaster@localhost
    ServerName [mydomain].com
    ServerAlias www.[mydomain].com

    DocumentRoot /var/aegir/platforms/[mydomain]-import

# Details of the SSL Cert
SSLCertificateFile /var/aegir/ssl/certs/[mydomain]_com.crt
SSLCertificateKeyFile /var/aegir/ssl/[mydomain].com.key
SSLCACertificateFile /var/aegir/ssl/certs/ca.txt


# This is important to prevent session hijacking
php_value session.cookie_secure 1

# Extra configuration from modules:

    # Error handler for Drupal > 4.6.7
    <Directory "/var/aegir/platforms/[mydomain]-import/sites/[mydomain].com/files">
      SetHandler This_is_a_Drupal_security_line_do_not_remove
    </Directory>

</VirtualHost>

Webserver info: Apache/2.2.9 (Debian) PHP/5.2.12-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g

Comments

joestewart’s picture

joestewart commented

Only addressing the part about having to login to http and https separately. This is at least partly due to this setting:

php_value session.cookie_secure 1

When using the ssl version, it uses a different session cookie. See: http://drupal.org/files/issues/cookie-secure_2.patch

Not trying to give much of an answer, just more clues.

anarcat’s picture

anarcat commented
Status: Active » Postponed (maintainer needs more info)

session.cookie_secure make sure that the browser will not send a cookie created over SSL to a non-SSL connexion and vice versa. It's an essential part of SSL security as without this setting, it's fairly easy to setup a Man-In-The-Middle (MITM) attack just by setting up a non-SSL proxy in front of the SSL website and collect credentials.

I'm not sure how secure pages work in that context or how you have configured it, but it sure looks like a more likely culprit in this case: if it makes the site switch between SSL and non-SSL during the user experience, that's clearly going to create problems, and I fail to see how that is supposed to work in the first place. However, you have not provided details on how this works for you: do anonymous users browser the site in non-SSL? Do you even allow non-SSL connexion? Or is the user always using the site in SSL mode?

The [[http://drupal.org/files/issues/cookie-secure_2.patch|cookie-secure]] patch looks pretty interesting. Have you tried the patch (which touches core, nothing less)? I *think* we could adapt it to Aegir so that it does something similar in the Apache configuration, but I would first need to know if it's been applied to core or where you actually found that patch. ;)

Thanks,

butler360’s picture

butler360 commented

The way it worked before I migrated to Aegir (but also a new host) was that everything was http until going to certain pages, such as the admin area or checking out with Ubercart. When leaving those pages, though, SecurePages would switch back to http as it's less intensive for the server. A customer could browse anonymously, add the item to their cart, be prompted to log in, then get redirected to SSL for checkout, all while keeping the products in the cart and their login session. It was as if http and https were the same site. Now it's like they are two separate sites. I suppose the site was much less secure in that mode? But it did work in the way I, and most people, expect an e-commerce site to run. I know I've never had to log in twice (once for http, once for https) on any major shopping site.

I haven't tried that patch. I don't know where it came from or if it's safe to apply, really. If you think I should give it a try, though, I will.

joestewart’s picture

joestewart commented

Sorry folks, didn't realize I didn't give that patch any context or say that it was applied to core. The issue was #170310: session.cookie_secure: SSL cookie gets over-written by non-SSL cookie. It should already be in bootstrap.inc. Pressflow has some differences around there but I think that part is the same.

butler360’s picture

butler360 commented

Well, I'm on alpha6 now, and it's still the same problem. The only way I can get it to work as I expected is to remove that part about the session hijacking. Then it works perfectly, but what are the risks? Is that just an ultra-paranoid precaution against a highly unlikely attack or a very real and urgent issue? Any other suggestions? I still don't know what to do with that patch above.

cknoebel’s picture

cknoebel commented

I've been wrestling with this issue also. (I'm running Aegir 0.3 with Ubercart. I successfully installed an SSL cert per http://groups.drupal.org/node/25038 .)

Can someone comment on the viability of removing php_value session.cookie_secure 1 and using Secure Pages Hijack Prevention (http://drupal.org/project/securepages_prevent_hijack) instead? Its README.txt says, "It's *not* necessary to change your PHP cookie settings ... In fact, setting session.cookie_secure would defeat the purpose of this module, and will give you a warning on your site's status page."

I've been fooling with it this afternoon. I'm successfully moving between http and https and seeing a logged in user's shopping cart block consistently. Any thoughts on this module as a safe replacement for the php/vhost approach?

adrian’s picture

adrian commented
Status: Postponed (maintainer needs more info) » Fixed

THe rewritten SSL support in head works perfectly fine with secure pages.

On the site form : http://skitch.com/vertice/dc8w8/create-site-t-4

you select 'enabled' , and it will allow you to use the securepages module to redirect between sections.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.