0006172: force_sid is added to all urls if shop is hosted behind a ssl reverse proxy

ID	Project	Category	View Status	Date Submitted	Last Update

0006172	OXID eShop (all versions)	4.02. Session handling	public	2015-06-17 13:15	2023-02-13 09:41

Reporter	inlupus	Assigned To
Priority	normal	Severity	feature	Reproducibility	N/A
Status	confirmed	Resolution	open
Product Version	4.9.0 / 5.2.0

Summary	0006172: force_sid is added to all urls if shop is hosted behind a ssl reverse proxy
Description	force_sid is added to urls if shop hosted behind a ssl reverse proxy as the request from the reverse proxy to the shop is send without ssl. Thus, the isSsl check and the isCurrentUrl check fail. $_SERVER["HTTP_HOST"] = "testshop.domain.at:443"
Steps To Reproduce	setup shop behind a reverse proxy and activate https/ssl
Additional Information	My solution: in oxconfig force SSL: protected function _checkSsl() { .... $this->setIsSsl(true); } in oxutilsserver.php remove port to be able to compare host names (without port postfix) public function getServerVar($sServVar = null) { ... if ($sServVar === 'HTTP_HOST' && $sValue) { $pos = strpos($sValue,':'); if ($pos) { $sValue = substr($sValue,0,strpos($sValue,':')); } } return $sValue; } A config value "assume_secure_protocol = 1" similar to other projects (e.g. piwik) would be nice which assumes https even if the requests arrive via http
Tags	No tags attached.

Theme	Not defined
Browser	Not defined
PHP Version	5.4
Database Version	Not defined

keywan.ghadami 2016-05-17 08:01 reporter ~0011588	There was already one attem to improve this with https://github.com/OXID-eSales/oxideshop_ce/pull/339 I wrote how to fix it in server settings, or in config.inc.php Anyway i am thinking about a configuration option in oxid administraion backend, because that questions comes often and the existing solutions depending to much on hosting environment.

SvenBrunk 2023-02-13 09:41 administrator ~0015027	I will keep this as feature request to make it more userfriendly and document it, but the solution for the configuration (config.inc.php) is simply: $_SERVER["HTTPS"] = "on";