I'm running a multi-website store on Magento 1.7.0.2. Namely, I have two websites configured, and each website has just one store view.
When I'm on the product view page and click on the link "Add to Wishlist", the message that prompts me to login first does not appear at all, and of course, the product is not added into my wishlist. When I login into the store of any of the two websites, and try the same operation, the product is not added in my wishlist, either.
If I login into the store of any of the two websites, and add a product to my shopping cart first, then I can move it from my shopping cart to my wishlist and vise-versa.
I believe that the problem occurs due to the multi-website setup, as I see no problem to my test environment which has the same software (Magento version & Extensions), but it has just one website with a single store and a single store view.
I activated Firebug and when I click the link "Add to Wishlist" on the product view page, Firebug shows the below:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.dlastore.com/e_store/ajaxwishlist/index/add/product/4505/form_key/vke8mTywPe8piFw0/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
If I add the below lines in my .htaccess file, I don't get anymore the error "CORS header ‘Access-Control-Allow-Origin’ missing". But, I'm always requested to login to the store first, while I'm already login.
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header set Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Header set Access-Control-Max-Credentials "true"
Header set Access-Control-Allow-Origin "*"
This should not be so relaxed, it should consist the name of origins which will be allowed to execute ajax calls from. This is useful to protect your customers from cross-site scripting vulnerabilities.
In your case, regarding login/logout, it's probably due to fact that you're using http and https, and that's why you have two different cookies on the same domain. In order to solve that, go to Magento Admin -> System -> Configuration -> Web. In "Session Cookie Management" and "Session Validation Settings" you can configure how your cookie will be used, what domain will be used, etc.
Or, you can just force all your customer to use HTTPS url only, and you'll not have any issue with login/logout and CORS. Just in sections "Secure" and "Unsecure" change all urls in order to have prefix https.
You are right; the problem occurs due to the change from HTTP to HTTPS when I tried to add a product into my Wish-list by using a theme with AJAX for that purpose. The problem does not appear if I go to the back-end at System > Configuration > GENERAL > Web > Secure, and set to "No" the parameter "Use Secure URLs in Frontend".
How can I work this out via making appropriate settings for the sections "Session Cookie Management" and "Session Validation Settings" instead of making all URLs via HTTPS?
There is the rule about HTTP/HTTPS:
- if you're visiting website via HTTP, then all hyperlinks and ajax calls must be HTTP
- if you're visiting website via HTTPS, then all hyperlinks and ajax calls must go via HTTPS
It could be that your theme is not coded well and it doesn't check how did you come to the website. There is no setting I can suggest to you without code inspection. You can set to No setting "Use Secure URLs in Frontend".
You should consider to move everything over HTTPS, and on that way you'll solve all your issues, plus you'll get better rank on Google:
https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446