Secure and nonsecure items alert

[livefooduk]

My website is http://www.livefood.co.uk and my ssl site is https://sslrelay.com/livefood.co.uk

When I go to log in or purchase it takes me to the secure site but in IE5 it tells me that the page contains both secure and insecure items, if I choose not to show the insecure items the page will not load at all, and obviously if I choose to show the insecure items then there is no padlock symbol. In IE 6 it does not even ask if I want to display the insecure items, it just loads up the page but there is no padlock symbol.

 

If I make define ('HTTP_SERVER', 'https://sslrelay.com.livefood.co.uk'); and define ('HTTPS_SERVER', 'https://sslrelay.com/livefood.co.uk');

Then it all works fine except that sslrelay.com can be painfully slow on occasions and is therefore not suitable to run the whole shop through.

Any ideas

 

I have seen a bug fix that sugested

 

 

The culprit is the "getenv('HTTPS')" for the

 

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

 

on all the various pages. Apparently if you use the sapi/isapi php module for apache OR IIS, then the getenv() function does not work. I found this out with my dealings with displaying the parse times on the bottom of the page.

 

Simply do a search for

getenv('HTTPS')

and replace with

$_SERVER["HTTPS"]

That didn't work :(

And another that sugested

A other solution is (from the german forum):

replace the base href om all pages with:

base href="<?php echo (ereg('^https', $SCRIPT_URI) ? HTTPS_SERVER :

HTTP_SERVER) . DIR_WS_CATALOG; ?>"

That didn't work :(

And finally

I added the code below, so my images would show from [http and https] addresses:

 

Location: catalog/includes/configure.php

 

-------------------------

 

/*

$Id: configure.php,v 1.12 2002/06/16 22:11:53 harley_vb Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTPS_SERVER', 'https://www.yourdomain.com');

define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('ENABLE_SSL', 'true'); // secure webserver for catalog

define('DIR_FS_DOCUMENT_ROOT', 'http://www.yourdomain.com'); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

 

--------------------------

:tellme:

[GD]

This is madding! :evil:

 

I have the same problems using the code from the above post, some of it is mine. :oops:

 

I've also tried:

 

/*

$Id: configure.php,v 1.12 2002/06/16 22:11:53 harley_vb Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTPS_SERVER', 'https://www.yourdomain.com');

define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('ENABLE_SSL', 'true'); // secure webserver for catalog

define('DIR_FS_DOCUMENT_ROOT', '/home/username/public_html'); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

 

---------------------------

 

The above code "works" a okay for my admin section, which shows the gold lock!? I cannot figure out why it gives this error message in I.E. 6.x http://holland2k.tripod.com/ssl_probs.html#SM1 and DOES NOT show the gold lock on secure pages! I stopped this warning message http://holland2k.tripod.com/ssl_probs.html#SM2 by changing this setting http://holland2k.tripod.com/ssl_probs.html#SM3 I do not receive any warning or messages when testing with NS 6.x.

 

I've seen many osC-based sites secured by SSL and when visiting them I do not receive these warnings, and their sites show the gold lock.

 

I've been trying to get my site going for over a year now and now the store will "warn" potential customers away from trusting my site, because of these messages! :cry:

 

-------------------------

 

PLEASE, pretty-please with sugar on top, SOMEONE, what is the answer to this riddle :?: :?: :?:

 

-------------------------

 

I using an Up-to-date with the CVS, osC snapshot-09_27_2002.

 

Here's my Web host's server info, if it helps:

Server OS: Linux 2.4.7-10 Database: MySQL 3.23.53a

HTTP Server: Apache/1.3.26 (Unix) mod_log_bytes/0.3 mod_bwlimited/1.0 PHP/4.2.2 FrontPage/5.0.2.2510 mod_ssl/2.8.9 OpenSSL/0.9.6b

PHP Version: 4.2.2 (Zend: 1.2.0)

[livefooduk]

I am even more depressed now :cry: because I thought you had the answer and I had got it wrong. I presume (from your earlier post) it only works on your admin pages because you have defined both ('HTTP_SERVER' and ('HTTPS_SERVER' as your secure site in your admin configure.php. It works fine for me if I do that but I can't run the whole shop through the ssl server as it is too slow.

[Ajeh]

See thread:

 

http://www.oscommerce.com/forums/viewtopic.php?t=25902

[livefooduk]

Just been reading it with great interest and hope :D but it has not made any difference :cry:

[Ajeh]

There are two error msg settings.

 

1 Do you want to know when you go from secure to non-secure

 

2 Security Alert due to mixed secure and non-secure items

 

The first is set by you ... do you want to see this msg any more.

 

The second is set via the security levels in the browser and how the page is designed.

 

This fix corrects the second error msg. The user has to decide about the 1st error msg setting for their browser.

 

The second you now can control by not mixing secure/non-secure items together by making the changes.

[livefooduk]

Thank you for that, it is the second that I still need a fix for. I have tried all of the above fix's (including yours) and they have not worked. Have a look at my shop page

http://www.livefood.co.uk/catalog/catalog/default.php and you will see what I mean.

It is really weird because if you select not to show insecure items then the page will not load at all!

I am runing oscommerce 2.2 and here is my configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

 define('HTTP_SERVER', 'http://www.livefood.co.uk'); 

 define('HTTPS_SERVER', 'https://sslrelay.com/livefood.co.uk'); 

 define('HTTP_CATALOG_SERVER', 'http://www.livefood.co.uk');

 define('HTTPS_CATALOG_SERVER', 'https://sslrelay.com/livefood.co.uk');

 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

 define('DIR_WS_CATALOG', '/catalog/catalog/'); // absolute path required

 define('DIR_WS_IMAGES', 'images/');

 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

 define('DIR_WS_INCLUDES', 'includes/'); // If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), this can be a URL instead of a local pathname

 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');



 define('DIR_WS_DOWNLOAD_PUBLIC', DIR_WS_CATALOG . 'pub/');

 define('DIR_FS_DOCUMENT_ROOT', '/');

 define('DIR_FS_CATALOG', '/catalog/catalog/');

 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

[Ajeh]

I do not get the Security Alert msg when I login from the default.php or when on product_info.php and hit Notify.

 

This is as good as I have been able to setup the secure/non-secure alert issues with those changes.

 

The only time I have gotten additional msgs is when I tell my browser to always tell me when switching between them rather than alert me by the settings of mixed secure and non-secure items.

[GD]

Thanks very much Ajeh,

 

I have added your code where needed, and now, I do not receive the security message http://holland2k.tripod.com/ssl_probs.html#SM2, but still no gold lock showing.

 

As for the first security message http://holland2k.tripod.com/ssl_probs.html#SM1, I think, because my SSL provider issued my SSL certificate without the www. in the domain! I am going to get them to reissue my certificate with the full www.mydomain.com address, and see if that fixes the first security message. *hopes*

 

--------------

 

Hey livefooduk,

Looking at your configure.php I see that you haven't defined your document root "path". That may be the problem?

 

Yours:

define('DIR_FS_DOCUMENT_ROOT', '/');

 

Example:

define('DIR_FS_DOCUMENT_ROOT', '/home/username/public_html'); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

 

I presume (from your earlier post) it only works on your admin pages because you have defined both ('HTTP_SERVER' and ('HTTPS_SERVER' as your secure site in your admin configure.php. It works fine for me if I do that but I can't run the whole shop through the ssl server as it is too slow.

 

Yes my admin is under full SSL, but I would never attempt to run the store under full SSL, you are correct, I think that would make the site VERY slow. :crazy:

[livefooduk]

I do not get the Security Alert msg when I login from the default.php or when on product_info.php and hit Notify.

 

This is as good as I have been able to setup the secure/non-secure alert issues with those changes.

 

The only time I have gotten additional msgs is when I tell my browser to always tell me when switching between them rather than alert me by the settings of mixed secure and non-secure items.

You don't get the security alert (secure and unsecure items) In IE6 but you still get it in IE5 but that is besides the point. What I am trying to say is that there is no padlock symbol showing both at login and checkout, that can not be right :?: How am I to convince my customers that they are on a secure connection if there is no padlock? and why does the page not load at all if I select not to show the insecure items?

 

Thanks GD, but it makes no difference I had define('DIR_FS_DOCUMENT_ROOT', '/homepages/...../......../htdocs/') before and have now changed it back but it is just the same as define('DIR_FS_DOCUMENT_ROOT', '/')

[livefooduk]

This can't be "as good as it gets" surely there must be some way to make the script pull the images from the https address when on an https page, they are all on the same server after all

eg http://www.livefood.co.uk/catalog/catalog/.../oscommerce.gif is exactly the same file as https://sslrelay.com/livefood.co.uk/catalog.../oscommerce.gif but now i get that nice padlock symbol in the bottom right had corner that tells my customers it is safe to give their credit card details

[GD]

I'm in the same boat with livefooduk on this point: :eh:

 

livefooduk

What I am trying to say is that there is no padlock symbol showing both at login and checkout, that can not be right How am I to convince my customers that they are on a secure connection if there is no padlock?

 

I can see the gold lock on secure pages when visiting some of the showcase shops, so someone must have the fix for this :?: :!: :?:

[livefooduk]

I think the situation is that it only works if the URL's are the same for both http and https ie http://www.yoursite.com and https://www.yoursite.com and it does not work if it is http://www.yoursite.com and https://secure.yoursite.com please some one correct me if that is not the case.

[livefooduk]

:D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D

I don't believe the answer could be this simple but this works!!!!!!!!

All you need to do is delete the line <base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>"> from all the pages that are ssl and it works

I am going to do a bit of testing on it with a few different browsers then I can start building my new store

:D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D

[Ajeh]

Almost sounds like instead of deleting those setting you need to see why the settings are not correct for the layout.

 

Could just be a tweak to the configure.php files.

[livefooduk]

Well I would if I knew anything about php programing, this is what me and GD have been trying to figure out.

[FloydFanatic]

.

Hello,

 

I've been following posts regarding this issue (insecurely tranmitted images on secure pages) for a while now.

 

I have tried many other people's suggestions though so far, including Ajeh's from another thread which somebody said worked for them, but nothing has worked for me thus far. It looks like livefooduk found a solution that he says works (above with all the happy faces), but I have not yet tried this one myself.

 

I would like to know if this is a "proper" solution, but unfortuanately, I lack the expertise and familiarity with the project to figure this out, so it would be greatly appreciated if someone who is "in the know" could take a look at this and provide some insight.

 

Thanks!

.

[livefooduk]

I am glad to know I am not on my own FloydFanatic, I feel like I have been on the dark side of the moon with this one :)

Any way I have made a bit of an improvement with my earlier sugestion, instead of deleting the whole line change it to read

<base href="<?php echo 'https://secure.yoursite.co.uk/' . DIR_WS_CATALOG; ?>"> on all the pages that should be ssl and also on default.php, shopping_cart.php and checkout_success.php or you will get the warning after you have been to the secure pages and return to the insecure part of the site. :D

[GD]

Well I'm glad to see that you are having better luck than I am livefooduk, but I still cannot "load" a gold lock icon on my secure "catalog" pages.

 

My secure "catalog" pages have the correct https:// address, and when transfering to a secure page the "gold lock" *shows for a split-second* then is gone!?

 

My SSL certificate provider suggested that:

 

"The gold lock disappears normally, because the HTML is referencing secure and non-secure items within the same page."

 

I do not understand this statement, because osC adds the http:// or https:// base address for each page, so when a page shows under SSL the address for all the parts are created, for example:

 

images/whatever.gif link is changed to a https://www.somedomain.com/catalog/images/whatever.gif link, right :?:

 

I've tried *all* the *suggestions/answers* from the old and new forums with no luck.

 

I really like osC, and think it is a shame that I cannot get the "catalog" to work with SSL. I have no problems at all with the "admin" working under SSL. :huh:

 

This is a sad circumstance. I am seriously thinking of going back to my old e-commerce ways, and dropping the whole php-based approach all together. At least my *name*.CGI-based cart worked under SSL.

 

I hate it when I'm in a rut, but on this issue I'm in a cavern! :evil:

GD

[FloydFanatic]

.

livefooduk,

 

Thanks for the info, i haven't had a chance to try it yet as I'm now stuck behind a new wall, being a hard drive crash to recover from... :cry:

 

Looking at your suggestion though, wouldn't making that change to default.php result in an SSL connection as soon as somebody comes to the site? As I said, I haven't been able to actually look at it yet, so I'm just going by memory of how things work.

 

I still think there much be a better solution than this though... Was osCommerce intentionally designed this way with the thinking that images need not be done via SSL? It's not at all realistic to expect everyday shoppers to understand this concept, they just want to see the solid lock icon, and I'm happy to give it to them even if it requires a little more CPU to deliver the images in SSL too. It seems to me that there should be a simple change of a variable somewhere, that would fix everything, I'd really like to hear from some of the developers on this... :?

 

Anyhow, I'm going to try and get on here and keep up with the discussion, but I won't be able to do any real testing until I've dealt with my other more immediate problems; tear down the wall! :wink: ttyl

.

[GD]

I found the answer to why *my* secure pages were NOT showing the gold lock, even though the page was secure https://.

 

///////////////////////////

 

I had to remove, one-by-one, then test pages, unfortunately :cry: ...

 

-------------------------

 

*All* the extra meta tags:

 

<meta name="author" content="Mydomain.com">

<meta name="copyright" content="Copyright 2002, Mydomain.com">

<meta name="description" content="">

<meta name="distribution" content="">

<meta name="keywords" content="">

<meta name="rating" content="">

<meta name="revisit-after" content="">

<meta name="robots" content="NOINDEX,NOFOLLOW">

<meta name="MSSmartTagsPreventParsing" content="TRUE">

<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link rel="SHORTCUT ICON" href="http://www.mydomain.com/favicon.ico">

 

----------------------

 

And links like:

 

<SCRIPT language=JavaScript src="http://www.mydomain.com/catalog/stylesheet.js" type=text/javascript></SCRIPT>

I was using this to direct NS to it's own version of the stylesheet.

 

-----------------------

 

And code like:

 

In the head section.

 

<script>

 

var popupWindowX = (screen.width/2)-200;

var popupWindowY = (screen.height/2)-200;

var pos = "left="+popupWindowX+",top="+popupWindowY;

 

function popupWindow(){

popupWindowWindow = window.open("http://www.mydomain.com/folder/filename.php","pop","scrollbars=yes,resizable=yes,width=440,height=500,"+pos);

}

 

</script>

 

In the body section of a box.

 

<a href="java script:doPopUp()"><img border="0" src="https://www.mydomain.com/folder/images/name.gif" width="100" height="100" alt=""></a>

 

-----------------------

 

After I did this, the gold lock loaded in I.E. 6.x and NS 6.x.

I do not know why this was a problem, but I am glade that now my site shows the gold lock on it's secure pages!

 

Yippee! :biggrin: :biggrin: :biggrin:

 

Good luck you guys :thumbsup: , I'm on to other problems :!:

[livefooduk]

Well done mate :) It's great when you finally get it cracked. I will give that a try when I have got a bit more spare time but for now I think I will just wait for a stable release of 2.2 before I do much more to it. I really like the oscommerce shop though so it's got to be worth persevering with it.

[livefooduk]

You have prompted me to do a bit more thinking :idea: on this and I have found somthing amazing :shock:

To get it to pull the images from the ssl server while on an ssl page I have found that it also works if I change the line on all the pages that should be ssl from

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

to

<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTP_SERVER : HTTPS_SERVER) . DIR_WS_CATALOG; ?>">

(Just swaping HTTPS_SERVER with HTTP_SERVER) but only on the ssl pages or it pulls all the images through the ssl server even when not on an ssl page.

I am sooooo happy I could sing :D this seems like a "good" solution but why this should work I don't know

[GD]

Well I'm glade to hear, that you found a *fix* for your site livefooduk. I feel your pain! :D

 

I've racked my brain trying for days trying to figure out the *whys*, but I'm just happy the code is working now.

 

Good luck with your site! 8)

GD

[sabotage79]

I dunno.. I tried the above switch, and although it took out the message poping up, it removed my secure Lock....