Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Making the "Finished!" page non ssl


akmac

Recommended Posts

Posted

HI all,

I've removed anything on the "Finished" page (the one customers see when they complete the checkout process) that would require ssl, so I'm wondering how I would go about changing things so that my customers don't get an ssl warning when they click the continue button.

 

My instinct is to modify this link on the preceding page:

 

<?php
 if (isset($$payment->form_action_url)) {
   $form_action_url = $$payment->form_action_url;
 } else {
   $form_action_url = tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL');
 }
 echo tep_draw_form('checkout_confirmation', $form_action_url, 'post');
 if (is_array($payment_modules->modules)) {
   echo $payment_modules->process_button();
 }
 echo tep_image_submit('button_confirm_order.gif', IMAGE_BUTTON_CONFIRM_ORDER) . '</form>' . "\n";
?>

 

To this: (just removed the SSL on line 5)

 

<?php
 if (isset($$payment->form_action_url)) {
   $form_action_url = $$payment->form_action_url;
 } else {
   $form_action_url = tep_href_link(FILENAME_CHECKOUT_PROCESS'');
 }
 echo tep_draw_form('checkout_confirmation', $form_action_url, 'post');
 if (is_array($payment_modules->modules)) {
   echo $payment_modules->process_button();
 }
 echo tep_image_submit('button_confirm_order.gif', IMAGE_BUTTON_CONFIRM_ORDER) . '</form>' . "\n";
?>

 

But for some reason, this solution makes alarms go off in my head. Obviously, I don't want the order to be sent outside of ssl. How would I do this correctly?

Quidquid latine dictum sit, profundum viditur.

Posted

The short answer is that you can't. Sorry.

The problem is the submit button, which sends POST data.

 

Most browsers will warn if a POSTed form is redirected from a SSL to a non SSL URL (and with good reason). You can't change this as it's a browser thing.

 

Leave the success page secure.

Posted

What about editing the link from the success page? Can I change that so it doesn't return an ssl warning?

Quidquid latine dictum sit, profundum viditur.

Posted
What about editing the link from the success page?  Can I change that so it doesn't return an ssl warning?

Figured it out. I just point the 'Continue' button on my "Finished!" page to https://www.mysite.com so there is no secure form error. Sure, it loads the page in ssl which is unnecessary, but it's better then a glaring security warning. If the customer then needs to browse anymore, the first link they click will convert them back to regular http.

 

If you see a problem with this solution, please post it!

Quidquid latine dictum sit, profundum viditur.

Posted
Figured it out.  I just point the 'Continue' button on my "Finished!" page to https://www.mysite.com so there is no secure form error.  Sure, it loads the page in ssl which is unnecessary, but it's better then a glaring security warning.  If the customer then needs to browse anymore, the first link they click will convert them back to regular http.

 

If you see a problem with this solution, please post it!

 

if you take off the notification stuff, you can make the form NONSSL and redirect NONSSL to your index page. The order has already been processed SSL prior to the success page. The only reason for that page to be SSL is the sending of the notfications.

Treasurer MFC

Posted
if you take off the notification stuff, you can make the form NONSSL and redirect NONSSL to your index page. The order has already been processed SSL prior to the success page. The only reason for that page to be SSL is the sending of the notfications.

Yes, I implemented your version of the "Finished" page. How would I do what you suggest?

Quidquid latine dictum sit, profundum viditur.

Posted
Yes, I implemented your version of the "Finished" page.  How would I do what you suggest?

 

lose the form and let the button redirect to http://

Treasurer MFC

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...