Discussions

Frustrated! SSL checkout & cart not working

I though this module would be better than ubercart but Im not a programmer. It has been frustrating to get anything with SSL to work. Countless post for ubercart and here seem to list these problems yet I haven't seen a fix.
When an a user, whether they are an administrator, anonymous, or authenticated, goes or clicks to the cart or checkout, nothing works. The cart is shown as empty & the checkout redirects to the home page. Using mixed SSL has been bad, but just straight SSL worked, but why does it have to be SSL for every page. All users have access checkout permissions. So why the issue. I have been working on this for three weeks with not luck.
IF ANYONE has the slight fix for this it would be greatly appreciated to not just myself, but alot of others.

Posted: Sep 30, 2011

Comments

rfay Randy Fay on October 3, 2011

This actually has nothing to do with Commerce. It sounds like your webserver configuration or secure_pages configuration is causing the user's cookie to be lost. I actually recommend SSL for every page, as it protects the user's password and cookie from wireless sniffing and such.

scott.carlton on October 3, 2011

Ya that's the way I've gone, but still having other issues. It seems to be one after another. Plus their isn't a UPS shipping module and I have no idea how to write one. I love the power of drupal commerce & drupal itself but it's just worn me down.
Switch to wordpress, but the commerce isn't as powerful.

rfay Randy Fay on October 3, 2011

I certainly know how that goes! It is in fact frustrating.

UPS for Commerce Shipping will be along "real soon now" as shipping is where most of Ryan's effort is going.

scott.carlton on October 5, 2011

Ya, I have been following that lately. Frustration has subside and back to just working on it. Thanks for all your help.

mnols on November 20, 2011

I am having similar issues. Everything is OK in apache (site works fine when all is https) yet using secure pages, I get "page not found" at checkout. I've got checkout/* as the secure page and ignore pages: */autocomplete/*, */ajax/*, batch, js/* Am I missing something?

What is maddening is that everyone keeps saying that the whole site should be SSL. Please look around at industry standard e-commerce practices: CHECKOUT is the only SSL secured part of the interaction. Securing the whole site just makes things easier but for many, many reasons it is not the BEST practice. Has anyone had better luck with ssl checkout?

Prince Manfred on November 20, 2011

You are right about there being a lot of eCommerce sites only using SSL at checkout, but the landscape is changing. Google around about the Firefox extension Firesheep. Basically, it's pretty trivial to hijack a user's session if there are any unsecure portions of the user's interaction with the site. A lot of big name sites (Google and Facebook come to mind) have started switching or at least offering the option for pure SSL sessions.

That's not to say that pure SSL is a perfect fit for all sites. Amazon, for example, doesn't use SSL while shopping. They do make you relogin once you move to checkout, though, and you won't touch an unsecure page from that point.

Now that that is out of the way, to securing your site: Have you looked into using ModRewrite and an htaccess file to redirect to a secure page instead of using a module? To me it seems more like something the server should be handling anyway.

mnols on November 21, 2011

about hubristic analogies to Google & Facebook platforms.

The bottom line is that I have been a huge supporter and user of Drupal for many years and will continue to be, however, I feel a bit misled by D7 versioning (7.9 now) and a non-dev release of Commerce when there are still so many basic problems. I moved my company prematurely onto this platform and I am paying a hefty price for it.

And yes, I have looked into ModRewrite and I am well versed in Apache but no, that is not the problem.