Making the "Finished!" page non ssl

[♥akmac]

HI all,

I've removed anything on the "Finished" page (the one customers see when they complete the checkout process) that would require ssl, so I'm wondering how I would go about changing things so that my customers don't get an ssl warning when they click the continue button.

 

My instinct is to modify this link on the preceding page:

 

<?php
 if (isset($$payment->form_action_url)) {
   $form_action_url = $$payment->form_action_url;
 } else {
   $form_action_url = tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL');
 }
 echo tep_draw_form('checkout_confirmation', $form_action_url, 'post');
 if (is_array($payment_modules->modules)) {
   echo $payment_modules->process_button();
 }
 echo tep_image_submit('button_confirm_order.gif', IMAGE_BUTTON_CONFIRM_ORDER) . '</form>' . "\n";
?>

 

To this: (just removed the SSL on line 5)

 

<?php
 if (isset($$payment->form_action_url)) {
   $form_action_url = $$payment->form_action_url;
 } else {
   $form_action_url = tep_href_link(FILENAME_CHECKOUT_PROCESS'');
 }
 echo tep_draw_form('checkout_confirmation', $form_action_url, 'post');
 if (is_array($payment_modules->modules)) {
   echo $payment_modules->process_button();
 }
 echo tep_image_submit('button_confirm_order.gif', IMAGE_BUTTON_CONFIRM_ORDER) . '</form>' . "\n";
?>

 

But for some reason, this solution makes alarms go off in my head. Obviously, I don't want the order to be sent outside of ssl. How would I do this correctly?

[FalseDawn]

The short answer is that you can't. Sorry.

The problem is the submit button, which sends POST data.

 

Most browsers will warn if a POSTed form is redirected from a SSL to a non SSL URL (and with good reason). You can't change this as it's a browser thing.

 

Leave the success page secure.

[♥akmac]

What about editing the link from the success page? Can I change that so it doesn't return an ssl warning?

[♥akmac]

What about editing the link from the success page?  Can I change that so it doesn't return an ssl warning?

<{POST_SNAPBACK}>

Figured it out. I just point the 'Continue' button on my "Finished!" page to https://www.mysite.com so there is no secure form error. Sure, it loads the page in ssl which is unnecessary, but it's better then a glaring security warning. If the customer then needs to browse anymore, the first link they click will convert them back to regular http.

 

If you see a problem with this solution, please post it!

[boxtel]

Figured it out.  I just point the 'Continue' button on my "Finished!" page to https://www.mysite.com so there is no secure form error.  Sure, it loads the page in ssl which is unnecessary, but it's better then a glaring security warning.  If the customer then needs to browse anymore, the first link they click will convert them back to regular http.

 

If you see a problem with this solution, please post it!

<{POST_SNAPBACK}>

 

if you take off the notification stuff, you can make the form NONSSL and redirect NONSSL to your index page. The order has already been processed SSL prior to the success page. The only reason for that page to be SSL is the sending of the notfications.

[♥akmac]

if you take off the notification stuff, you can make the form NONSSL and redirect NONSSL to your index page. The order has already been processed SSL prior to the success page. The only reason for that page to be SSL is the sending of the notfications.

<{POST_SNAPBACK}>

Yes, I implemented your version of the "Finished" page. How would I do what you suggest?

[boxtel]

Yes, I implemented your version of the "Finished" page.  How would I do what you suggest?

<{POST_SNAPBACK}>

 

lose the form and let the button redirect to http://