Infinite Loop When Ssl Enabled

jared · June 23, 2015, 12:00am

Hi guys,

Experiencing issue with SSL enabling.

I had installed certificate on the server and enabled SSL inside CS-Cart settings, but when I’m trying reach secured version (https://…) it’s always redirects me to non-secure (http://…)

I also tried to set redirects inside .htaccess but this created infinite loop of calls http → https → http.

After hours of researching I have found that somewhere script calls for local redirect fn and when I disabled everything inside this function - secure version works. This is not coolest way to solve the issue so I decided to create topic here.

Issue appears only on front-end part. Admin subset works good.

CS-Cart version: 3.0.6 (can’t update because of custom integrations and theming)

config.local.php

<br />
...<br />
// Host and directory where software is installed on no-secure server<br />
$config['http_host'] = 'www.example.co.uk';<br />
$config['http_path'] = '';<br />
<br />
// Host and directory where software is installed on secure server<br />
$config['https_host'] = 'www.example.co.uk';<br />
$config['https_path'] = '';...<br />

```<br />
<br />
[b]config.php:[/b]<br />
```php
<br />
...<br />
<br />
$config['http_location'] = 'https://' . $config['http_host'] . $config['http_path'];<br />
$config['https_location'] = 'https://' . $config['https_host'] . $config['https_path'];<br />
$config['current_location'] = (defined('HTTPS')) ? $config['https_location'] : $config['http_location'];<br />
...<br />
<br />

imac · June 23, 2015, 12:00am

[quote name='jared' timestamp='1435049229' post='220029']

After hours of researching I have found that somewhere script calls for local redirect fn and when I disabled everything inside this function - secure version works. This is not coolest way to solve the issue so I decided to create topic here.

[/quote]

jared,

post the code that you disabled. This could help to understand the issue.

flapcat · June 23, 2015, 12:00am

I'm glad I'm not the only one with this issue. I've tried setting up SSL on my site today too and followed the instructions for version 3.0.6 as per the knowledge base article.

If I include the

RewriteCond %{SERVER_PORT} 80

in .htaccess, then the admin side has SSL enabled, however as soon as I enter

RewriteRule ^(.*)$ https://www.your_domain.com/$1 [R,L,NE]

into the .htaccess file the front end of the website goes down into the infinite loop just as Jared has described.

If there is anything that needs disabling in code or the Rewrite rules need to be configured differently then it would be nice to know.

johnbol1 · June 23, 2015, 12:00am

[quote name='Flapcat' timestamp='1435097895' post='220136']

I'm glad I'm not the only one with this issue. I've tried setting up SSL on my site today too and followed the instructions for version 3.0.6 as per the knowledge base article.

If I include the

RewriteCond %{SERVER_PORT} 80

in .htaccess, then the admin side has SSL enabled, however as soon as I enter

RewriteRule ^(.*)$ https://www.your_domain.com/$1 [R,L,NE]

into the .htaccess file the front end of the website goes down into the infinite loop just as Jared has described.

If there is anything that needs disabling in code or the Rewrite rules need to be configured differently then it would be nice to know.

[/quote]

First of all make sure you add 301 or you will lose all your link juice after changes

as per this post http://forum.cs-cart…-site-be-aware/

@IMAC the KB has been changed for 4.2X but but not for lower versions

and second question…you did put YOUR OWN web address in didnt you (stupid question I know but it has been done before)

RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.yourwebaddresshere/$1 [R=301,L,NE]

imac · June 24, 2015, 12:00am

[quote name='johnbol1' timestamp='1435102543' post='220140']

@IMAC the KB has been changed for 4.2X but but not for lower versions

[/quote]

johnbol1,

Can you please provide more details on this?

jared · June 24, 2015, 12:00am

@imac

I had disabled fn_redirect function in fn.common.php

function fn_redirect($location, $no_delay = false, $allow_external_redirect = false) { /* ... */ }

I need to realise where exactly it calls and fix condition.

But it's breaking entire redirect functional everywhere where needed, such like merchant, login redirects, etc.

The problem is not in the ssl installation or redirect implementation server side but something wrong with recognising https and providing correct condition for that.

What might be:

Site can't recognise correct URI and then just forwarding to http_host

@johnbol - as you can see from my first post, the problem is not in implementing redirects inside .htaccess. Example of configuration posted previously.

Thanks,

Jared.

johnbol1 · June 24, 2015, 12:00am

[quote name='imac' timestamp='1435125472' post='220152']

johnbol1,

Can you please provide more details on this?

[/quote]

Sure see this post below. I informed your guy and he changed the KB for V4.2.x version tab but not for other version tabs

Http To Https Redirect Whole Site Be Aware - SEO - CS-Cart Community Forums

see tab 4.2.x states to use 301 in the code but other version tabs do not show to use 301.

Thanks

John

jared · June 29, 2015, 12:00am

Hi guys,

Any update on this topic that may solve SSL infinite loop issue?

Thanks,

Jared.

jared · June 29, 2015, 12:00am

Also tested couple options and I'm pretty sure that issue inside CS-Cart core, not server configuration or htaccess:

OK:

https://www.example.com/admin.php and everything inside - works perfect

Uploaded test file and tried direct injection:

OK:
https://www.example.com/i.php

Everything works, ssl shown, nothing redirects.

Not OK:
https://www.example.com/ - started redirecting to not-secure http connection.
https://www.example.com/something-on-front - same, redirecting to non-secure…

Thanks,

Jared.

ecomlabs · June 30, 2015, 12:00am

Please provide us with the temporary FTP access so that we can find the reason of the redirect loop

hellomyfriends · March 8, 2017, 12:00am

Anyone has fixed this? I have the same issue.

Please help me.

ibizo · March 13, 2017, 12:00am

There is mistake in the kb docs as allways!!

If you want to activate secure connection for all urls, you need to only enable "Keep HTTPS connection once a secure page is visited"

not to enable ~~Enable secure connection at checkout, Enable secure connection in the administration panel, Enable secure connection for authentication, profile and orders pages~~

because if you enable all those options, there is loop

just for your info :)

ecomlabs · March 13, 2017, 12:00am

Anyone has fixed this? I have the same issue.

Please help me.

app/Tygh/Bootstrap.php

Please check the detectHTTPS function here. Sometimes even if the SSL is installed, the system cannot meet the conditions of the function

hellomyfriends · March 15, 2017, 12:00am

There is mistake in the kb docs as allways!!

If you want to activate secure connection for all urls, you need to only enable "Keep HTTPS connection once a secure page is visited"

not to enable ~~Enable secure connection at checkout, Enable secure connection in the administration panel, Enable secure connection for authentication, profile and orders pages~~

because if you enable all those options, there is loop

just for your info :)

I can't login to Admin CP when SSL enabled on my VPS.

https://sieuthilangson.vn/quantrils.php

https://sieuthilangson.vn/vendor.phpvendor loop too.

app/Tygh/Bootstrap.php

Please check the detectHTTPS function here. Sometimes even if the SSL is installed, the system cannot meet the conditions of the function

I tried comment out // return false; but it doesn't work.

public static function detectHTTPS($server)
    {
        if (
            (isset($server['HTTPS']) && (strcasecmp($server['HTTPS'], 'on') === 0 || $server['HTTPS'] == '1')) ||
            (isset($server['HTTP_X_FORWARDED_SERVER']) && (strcasecmp($server['HTTP_X_FORWARDED_SERVER'], 'secure') === 0 || $server['HTTP_X_FORWARDED_SERVER'] == 'ssl')) ||
            (isset($server['SCRIPT_URI']) && (strpos($server['SCRIPT_URI'], 'https') === 0)) ||
            (isset($server['HTTP_HOST']) && (strpos($server['HTTP_HOST'], ':443') !== false)) ||
            (isset($server['HTTP_X_FORWARDED_HTTPS']) && (strcasecmp($server['HTTP_X_FORWARDED_PROTO'], 'on') || $server['HTTP_X_FORWARDED_PROTO'] == '1')) ||
            (isset($server['HTTP_X_FORWARDED_PROTO']) && $server['HTTP_X_FORWARDED_PROTO'] == 'https') ||
            (isset($server['HTTP_X_HTTPS']) && (strcasecmp($server['HTTP_X_HTTPS'], 'on') === 0 || $server['HTTP_X_HTTPS'] == '1')) ||
            (isset($server['SERVER_PORT']) && $server['SERVER_PORT'] == 443)
        ) {
            return true;
        }
    // return false;
}

hellomyfriends · March 21, 2017, 12:00am

My issue fixed.

In case you cannot access your admin CP (yourdomain/admin.php) when SSL enabled.

1. Login phpmyadmin, find settings_objects table and change secure_admin's value from "N" to "Y"

2. Delete all categories in var/cache via FTP.

3. Try to access your admin CP by hard fresh or delete Browser's cache/history or try a new browser.

Hope will help.

hellomyfriends · March 22, 2017, 12:00am

2. (Edited) I mean delete all folders in var/cache via FTP.

This fix for Multi-vendor edition

mariush · April 21, 2020, 12:00am

3 years later, the problem is still there

Lucky me I found

My issue fixed.

In case you cannot access your admin CP (yourdomain/admin.php) when SSL enabled.

1. Login phpmyadmin, find settings_objects table and change secure_admin's value from "N" to "Y"

2. Delete all categories in var/cache via FTP.

3. Try to access your admin CP by hard fresh or delete Browser's cache/history or try a new browser.

Hope will help.

3 years laters, the problem still exists.

Thank you for your post, saved me from going crazy