View Issue Details

IDProjectCategoryView StatusLast Update
0006172OXID eShop (all versions)4.02. Session handlingpublic2023-02-13 09:41
Status confirmedResolutionopen 
Product Version4.9.0 / 5.2.0 
Target VersionFixed in Version 
Summary0006172: force_sid is added to all urls if shop is hosted behind a ssl reverse proxy
Descriptionforce_sid is added to urls if shop hosted behind a ssl reverse proxy as the request from the reverse proxy to the shop is send without ssl. Thus, the isSsl check and the isCurrentUrl check fail.

Steps To Reproducesetup shop behind a reverse proxy and activate https/ssl
Additional InformationMy solution:

in oxconfig force SSL:

protected function _checkSsl() {

in oxutilsserver.php remove port to be able to compare host names (without port postfix)

public function getServerVar($sServVar = null) {
  if ($sServVar === 'HTTP_HOST' && $sValue) {
                $pos = strpos($sValue,':');
                if ($pos) {
                        $sValue = substr($sValue,0,strpos($sValue,':'));
return $sValue;

A config value "assume_secure_protocol = 1" similar to other projects (e.g. piwik) would be nice which assumes https even if the requests arrive via http
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP Version5.4
Database VersionNot defined


related to 0007223 resolvedSven Brunk force session start leads to sid parameters on all links on first page request 



2016-05-17 08:01

reporter   ~0011588

There was already one attem to improve this with
I wrote how to fix it in server settings, or in
Anyway i am thinking about a configuration option in oxid administraion backend, because that questions comes often and the existing solutions depending to much on hosting environment.

Sven Brunk

2023-02-13 09:41

administrator   ~0015027

I will keep this as feature request to make it more userfriendly and document it, but the solution for the configuration ( is simply:

$_SERVER["HTTPS"] = "on";