Empty Cart Bug with FORCE_SSL_ADMIN true #2097

Closed
Netzberufler opened this Issue Mar 5, 2014 · 26 comments

5 participants

@Netzberufler

Hi there,

I have recently installed a SSL certificate on my webserver and configured SSL to work manually without using any HTTPS / SSL plugin.

I then noticed some issue with the “Add to Cart” button. It simply didn’t work and the cart always stayed empty.

This issue only happened when I had defined the FORCE_SSL_ADMIN constant in my wp-config.php ( see http://codex.wordpress.org/Administration_Over_SSL ).

I have digged a little bit in the EDD code today and found following code line within the edd_get_ajax_url() function:

$scheme = defined( 'FORCE_SSL_ADMIN' ) && FORCE_SSL_ADMIN ? 'https' : 'admin';

Apparently the protocol scheme of the ajax URL is always set to use ‘https’ when the constant is defined. I guess this caused problems on my website because the product pages are not SSL secured and the ajax request does not work cross protocol from http to https.

The function checks if the current frontend page uses https and if that’s the case it does change the ajax URL to https, but does not check the other way round.

Anyway, I have changed the code line above a little bit and added is_ssl() to check if the current page uses http or https. I have also used ‘http’ instead of ‘admin’ to force the ajax url to use http on non-https pages.

$scheme = force_ssl_admin() && is_ssl() ? 'https' : 'http';

This has fixed the issue so far for me.

However, I’m not quite sure if this may break some other Ajax request anywhere. It would be really great if you could look over that function and maybe tweak it a little bit to fix the issue with the next EDD update without breaking any other Ajax requests.

Cheers,
Thomas

@chriscct7
Easy Digital Downloads member

We'll definitely look into fixing this, but just curious, why are you doing SSL on the checkout page but not on the product pages?

@Netzberufler

I have only secured pages where sensitive information are transmitted (e.g. login, checkout), which is not the case on product pages. The main reason to use https on only a few pages was just the fact that http should be more performant than https.

But you're certainly right, maybe the easiest way would be to run all product pages over https as well.

I also was not sure if this is a real bug or not; I just wanted you to inform what I have discovered. In case some other users have this problem, too ;)

@chriscct7
Easy Digital Downloads member

Yeah, we'll definitely fix it, I was just curious.

@pippinsplugins
Easy Digital Downloads member

Fix looks like it should be good to me. Thanks so much for looking into it and finding a fix! A lot of users have had issues with this, so this should affect a lot of users.

I'm going to milestone for 1.9.9 and test further.

@pippinsplugins pippinsplugins added this to the 1.9.9 milestone Mar 7, 2014
@pippinsplugins pippinsplugins added the Bug label Mar 7, 2014
@Netzberufler

You're welcome and I'm looking foward to see the fix in 1.9.9 :)

I'm not sure if the usage of is_ssl() is fine since the function uses a combination of edd_get_current_page_url() and preg_match( '/^https/', $current_url ) instead to determine the protocol. But I guess you figure out the best way :)

@merwanluck

Hi! I'm having the same 'empty cart' problem most likely caused by my new SSL Certificate and FORCE_SSL_ADMIN in wp-config.php...... Thing is, I do not follow how you fixed it. could you please explain to me the exact line of code I need to enter and where? Thanks so much

@pippinsplugins
Easy Digital Downloads member

@merwanluck Once I've fully tested this, I will have a complete patch that gives you exact specifics.

@merwanluck

Thanks pippin, when should I expect to see that? I'm sure you recognize my name by now, my online store has been down for a bit, between the mijireh thing and this.

@pippinsplugins
Easy Digital Downloads member

Probably sometime this week.

You can fix it temporarily by either:

A. Disabling SSL on your site
B. Putting SSL across your whole site

@merwanluck

ok thats not too long. I'm actually using the force_ssl command to force connection to my https. from what I can tell my whole site is covered by SSL using this command. if there is a better way I am open to it. I am skeptical of disabling SSL and allowing customers to send their CC info, isn't this risky? Also I have just started using Braintree extension, does that extension utilize Braintree's PCI security gateways?

@merwanluck

Ok so this Ajax function php fix worked for me…still need to know about Braintree PCI

@pippinsplugins
Easy Digital Downloads member

@merwanluck All extension questions need to be posted to the support forums, thanks.

@pippinsplugins pippinsplugins added a commit that referenced this issue Apr 4, 2014
@pippinsplugins pippinsplugins Use force_ssl_admin() && is_ssl() in edd_get_ajax_url() to properly s…
…et the ajax URL to https if FORCE_SSL_ADMIN is defined. #2097. Props @netzberufler
38ff4c7
@pippinsplugins
Easy Digital Downloads member

Tested and confirmed to work!

@pippinsplugins
Easy Digital Downloads member

Turns out this change has broken ajax actions for sites that use the WordPress HTTPS plugin.

The 1.9.8 version works though:

/**
 * Get AJAX URL
 *
 * @since 1.3
 * @return string
*/
function edd_get_ajax_url() {
    $scheme = defined( 'FORCE_SSL_ADMIN' ) && FORCE_SSL_ADMIN ? 'https' : 'admin';

    $current_url = edd_get_current_page_url();
    $ajax_url    = admin_url( 'admin-ajax.php', $scheme );

    if ( preg_match( '/^https/', $current_url ) && ! preg_match( '/^https/', $ajax_url ) ) {
        $ajax_url = preg_replace( '/^http/', 'https', $ajax_url );
    }

    return apply_filters( 'edd_ajax_url', $ajax_url );
}
@pippinsplugins pippinsplugins reopened this May 6, 2014
@pippinsplugins pippinsplugins modified the milestone: 1.9.9.1, 1.9.9 May 6, 2014
@pippinsplugins
Easy Digital Downloads member

I haven't yet been able to fully track this down but for now I have to revert this change. We've already had several priority tickets related this breaking sites.

@Netzberufler If you need to apply it to your own site, you can use the edd_ajax_url filter to adjust it.

@pippinsplugins pippinsplugins reopened this May 6, 2014
@pippinsplugins pippinsplugins removed this from the 1.9.9.1 milestone May 6, 2014
@andyba45

Prior to the release of 1.9.9 I was experiencing the empty cart when ajax was enabled. I modified the edd-ajax.js and edd-ajax.min by adding this to the two ajax calls:

        xhrFields: {
        withCredentials: true
        }, 

That solved my problem with the empty cart issue. When EDD 1.9.9 was released, it worked for me as well, but when it was taken out, the ajax stopped working and I had empty cart syndrome again. I have since added it back and it's working again.

Food for thought, it may not be an end all be all.

In the end, this is how I implemented.

        $.ajax({
        type: "POST",
        data: data,
        dataType: "json",
        url: edd_scripts.ajaxurl,
        xhrFields: {
        withCredentials: true
        },
@pippinsplugins
Easy Digital Downloads member

EDD 1.9.9.2 has it fixed again.

@andyba45

Sorry, I should have clarified, when I updated to 1.9.9.2 that is when the empty cart syndrome returned for me. 1.9.9 did work for me, no empty cart with ajax enabled.

@pippinsplugins
Easy Digital Downloads member

Do you have FORCE_ADMIN_SSL defined or are you using the WordPress HTTPS plugin?

@andyba45

I've got FORCE_ADMIN_SSL defined and I'm using this hack from yoast for my check out page

function yst_ssl_template_redirect() {
if ( is_page( 123 ) && ! is_ssl() ) {
if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']), 301 );
exit();
} else {
wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
exit();
}
} else if ( !is_page( 123 ) && is_ssl() && !is_admin() ) {
if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(preg_replace('|^https://|', 'http://', $_SERVER['REQUEST_URI']), 301 );
exit();
} else {
wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
exit();
}
}
}
add_action( 'template_redirect', 'yst_ssl_template_redirect', 1 );

@pippinsplugins
Easy Digital Downloads member

Is 123 the ID of your checkout page?

@andyba45

yes, the page id number of whatever page you wanted ssl on.

@chriscct7 chriscct7 added this to the 2.1 milestone May 25, 2014
@pippinsplugins
Easy Digital Downloads member

@andyba45 I've just committed the fix for xhrfields. Any chance you'd be able to test it on your site?

@pippinsplugins
Easy Digital Downloads member

I just tested this on a live site and it worked perfectly for me now.

@andyba45

I took a quick look, that's exactly how I've been editing it. I would add it to edd-ajax.min also. I'll download tomorrow and give it a quick test, but I think it's solid.

Thanks Mucho!!

@pippinsplugins
Easy Digital Downloads member
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment