View Issue Details

IDProjectCategoryView StatusLast Update
0006172OXID eShop (all versions)4.02. Session handlingpublic2016-05-17 08:01
Reporterinlupus 
PrioritylowSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version4.9.0 / 5.2.0 
Target VersionFixed in Version 
Summary0006172: force_sid is added to all urls if shop is hosted behind a ssl reverse proxy
Descriptionforce_sid is added to urls if shop hosted behind a ssl reverse proxy as the request from the reverse proxy to the shop is send without ssl. Thus, the isSsl check and the isCurrentUrl check fail.

$_SERVER["HTTP_HOST"] = "testshop.domain.at:443"
Steps To Reproducesetup shop behind a reverse proxy and activate https/ssl
Additional InformationMy solution:

in oxconfig force SSL:

protected function _checkSsl() {
....
$this->setIsSsl(true);
}

in oxutilsserver.php remove port to be able to compare host names (without port postfix)

public function getServerVar($sServVar = null) {
...
  if ($sServVar === 'HTTP_HOST' && $sValue) {
                $pos = strpos($sValue,':');
                if ($pos) {
                        $sValue = substr($sValue,0,strpos($sValue,':'));
                }
  }
return $sValue;
}



A config value "assume_secure_protocol = 1" similar to other projects (e.g. piwik) would be nice which assumes https even if the requests arrive via http
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP Version5.4
MySQL VersionNot defined

Activities

keywan.ghadami

2016-05-17 08:01

developer   ~0011588

There was already one attem to improve this with
https://github.com/OXID-eSales/oxideshop_ce/pull/339
I wrote how to fix it in server settings, or in config.inc.php
Anyway i am thinking about a configuration option in oxid administraion backend, because that questions comes often and the existing solutions depending to much on hosting environment.