httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich <a...@rbentley.com>
Subject [users@httpd] https redirect between domains failing
Date Sun, 12 Jun 2005 14:26:04 GMT
Hello all,

Firstly, I have to admit that I'm not sure where the fault lies here,
but I'm pretty sure it's a server issue, so here goes.

I have a shop running on Apache 2 / PHP (actually oscommerce).

I am using an external payment gateway to handle credit card
transactions. So the user is passed to the payment gateway site, then
after processing the credit card, is passed back to my site. The
callback address is passed to the payment gateway as part of the
transaction.

The callback request back to my site is performed via a GET and I can
opt to have it made either as a http or https request; the latter
obviously being the more desirable as the callback includes some
parameters that I want to capture that are of a sensitive nature.

If I opt for the callback to be a http request, the transfer works ok;
the http request is made on my site, is actually redirected to make it
into a https request (by virtue of the PHP application), and the browser
displays the "your order has been received" page. No problem with this.

However...

If I opt to have the callback request as https, it all seems to go wrong
- The browser seems to get horribly confused when the callback is made
back to my site. The request is made (as far as I can tell, correctly),
but the browser still displays the URL of the payment gateway. The
little padlock on the browser still has the name of the payment gateway
(on Firefox), and only half the "your order has been received" page is
rendered. I can continue to move about my site, but _sometimes_ the 
browser seems to remain very confused (still displaying the URL of the 
payment gateway and displaying half/broken pages) until I select a 
non-SSL (http) page, after which it seems to sort itself out. The rest 
of the time, the browser corrects itself as soon as I select another 
page (or just refresh the current page).

By the way, when I say 'half a page', I mean that none of the images are 
displayed. And no, this is not because I'm stopping images being 
displayed over the SSL connection. It's because the browser is only 
making a single request per page (ie - not following up any links within 
the page).

I have tried this with MSIE, Firefox and Safari and the result is the
same, so I'm guessing that it's a server issue rather than a browser fault.

It's almost as if the browser is not realising that the SSL page on the
payment gateway and the SSL page on my site do not use the same keys
(obviously they don't). However, it must be making a correct SSL 
connection to my site otherwise it would not display anything at all. I 
DO use a different certificate authority to the payment gateway - maybe 
this has something to do with it, though it suggests a bug if it does.

Even if this were true, I have no idea why the browser would not try and 
read the images for the page; the html it receives back is exactly the 
same as any other request and besides a refresh of the page often 
corrects the problem.

I was wondering if I need to force a SSL renegotiation when the callback
page is first displayed but I can't see anything in either the apache
config or PHP that might do this (or even if it's the answer). Anyway,
PHP doesn't care what type the connection is, so I don't expect to find
any answers there.

For the record, there are no errors being reported by the browser or
Apache or PHP.

I have looked about and I have only found one other instance of someone 
having a similar problem, but no answer was suggested.

If anyone out there can suggest what's going on then I'm all ears.

regards,

Rich.









---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message