Magento – Cookie-/ Session Problem after SSL Proxy Configuration

admincookiesession

I recently set up my store to use an SSL proxy for secure connections.

On Frontend everything works fine since I activated the configuration otion "Use SID in Shop frontend". A session variable is added to each URL and the Session sharing between the proxy and my website works.

As an example the url looks like this:

https://ssl.webpack.de/{{shopname}}/customer/account/login/?SID=6j807xxwgbtvlj1qns3abc1a50

However this does not work for the backend. There is no option to add the SID to admin URLs.
Does anyone now how to get the backend working with ssl proxy.

Another option would be to set the cookie correctly for .webpack.de – but whenever Magento tries to set a cookie with the session information, it takes the shopname as Domain. Which is not correct for the secure environment. I am using Magento CE Version 1.7.0.2.

Best Answer

it seems your session not set properly for your ssl url,

you check for the cookies that

Ensure you have mod_headers.so enabled in Apache instance
Add following entry in httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Restart Apache Web Server

Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Header set Set-Cookie HttpOnly;Secure

Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.

Check HTTP response header, you should see as highlighted

Related Solutions

Magento – Erratic cookie-related login problem

This is an article from NovusWeb: http://www.novusweb.com/fix-for-passing-magento-session-ids/

Fix for Passing Magento Session IDs

Author: Brett Williams

Posted November 9, 2011

Fixing Magento Session IDs

We often use shared SSL’s when building e-commerce sites. It’s a convenient way of hosting multiple stores without having to purchase separate SSL certificates for each site. Most of our e-commerce clients manage multiple stores within a single Magento or OpenCart installation. Recently, we found a problem with Magento where the customer’s session ID was not being passed successfully between their initial visit to the site and their page views after logging into the store as a registered customer. Magento was not passing the same session IDs, and this meant that a customer who had previously logged in and added items to their cart, would lose the contents of their cart after returning later and logging in. Not a great situation.

In looking at the cookies created during a session, I found that when going from an unsecure domain (i.e., http://) to a secure domain (i.e., https://), the session ID was being passed successfully and a new cookie for the secure domain was created with the same session ID as the unsecure domain. However, when the customer logged in, a new cookie was created for the secure domain with an entirely new session ID. Magento was now using the newer cookie, and whenever the customer clicked to go back into an unsecure domain page (e.g. product detail page), they were no longer logged into Magento as the unsecure domain was using its cookie/session ID, not the new session ID created at login. The solution would be to find where the new session ID was being created and prevent that from occurring.

So, I began digging into the code to see if I could find where Magento was creating the new session.

In app/code/core/Mage/Customer/Model/session.php, I found this at lines 177-189 (Magento CE 1.5.1):

public function login($username, $password)
{
/** @var $customer Mage_Customer_Model_Customer */
$customer = Mage::getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId());

if ($customer->authenticate($username, $password)) {
    $this->setCustomerAsLoggedIn($customer);
    $this->renewSession();
    return true;
}
return false;
}

My solution was to comment out the line: $this->renewSession():, so that Magento would not create a new session when the customer logged in. The changed code looks like this:

public function login($username, $password)
{
/** @var $customer Mage_Customer_Model_Customer */
$customer = Mage::getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId());

if ($customer->authenticate($username, $password)) {
    $this->setCustomerAsLoggedIn($customer);
    //$this->renewSession();
    return true;
}
return false;
}

So far in our testing, everything is working just fine, and the customer’s session is being retained between domains. Now, before you rush to change this core file, do the following:

Backup your databases (you should always do this before making any modifications). Build the following directory hierarchy: app/code/local/Mage/Customer/Model/. Put a copy of session.php into this new directory. Comment out the appropriate line, shown above, and save your file. By putting your modifications into the app/code/local directory, you’re telling Magento to use these files instead of the core files. More importantly, you’re preventing the loss of your modifications should you update Magento in the future.

It also provides a convenient way to store and manage your code modifications, as you only need to keep modified files in the app/code/local directory.

Be sure to leave a comment if you know of a more elegant solution, or if you find this works or doesn’t work for you.

Admin Login Problems – Correct Settings for Session Cookie Management

"I always have admin login problems" is a bit vague but here goes

Under System > Configuration > Web the settings should be as follows

enter image description here

Also set "Session Lifetime (seconds)" under System > Configuration > Admin to a high value like 7200 so you don't need to login repeatedly

Best Answer

Related Solutions

Magento – Erratic cookie-related login problem

Admin Login Problems – Correct Settings for Session Cookie Management

Related Topic