Secure and nonsecure items alert

[tedmcdonald]

I was having similar problems.

 

I solved it by making sure that all image files that are used in the header.php, footer.php and column_left and column_right were being called with a short path (/images/image.jpg) rather than a full path (http://server.com/images/image.jpg).

 

This solved it for me. I have the lock and no insecure images.

 

Best, Ted

 

I also had to take out a banner that I had on my right column that was calling an image from another server.

[sabotage79]

Hi there! Thanks for your helpful reply. Did you use any of the code offered to solve the problem, or did you simply edit your image paths?

 

I will try your sugestion to remove the popup about secure/nonsecure message!

[tedmcdonald]

No, I didn't use any of the code offered here. I solved it doing just as I wrote.

 

Furthermore, my SSL server is a different domain from my shop.

 

Best, Ted

 

PS. I solved this problem before I read this thread. I just wanted to be sure my method was heard. It might help some people who are still having problems even though they have done all that was recommended here.

 

Best, Ted

[livefooduk]

I am confused now, I don't have any "image paths" in any of thoses files

 

eg column_left.php

<?php

/*

 $Id: column_left.php,v 1.13 2002/06/16 22:08:05 harley_vb Exp $



 osCommerce, Open Source E-Commerce Solutions

 http://www.oscommerce.com



 Copyright (c) 2002 osCommerce



 Released under the GNU General Public License

*/



 if ( (USE_CACHE == 'true') && !SID) {

   echo tep_cache_categories_box();

 } else {

   include(DIR_WS_BOXES . 'categories.php');

 }



 if ( (USE_CACHE == 'true') && !SID) {

   echo tep_cache_manufacturers_box();

 } else {

   include(DIR_WS_BOXES . 'manufacturers.php');

 }



 require(DIR_WS_BOXES . 'whats_new.php');

 require(DIR_WS_BOXES . 'search.php');

 require(DIR_WS_BOXES . 'information.php');

but the images in column_left are not from the https server (before the changes I made), do you mean to edit

require(DIR_WS_BOXES . 'whats_new.php')

to

require('catalogincludesboxeswhats_new.php');

[jmckeand]

Livefooduk,

 

Did the <base href... swap do anything? Does anyone have a list of which files to change?

 

Thanks,

James.

[livefooduk]

Yes it stopped me getting the secure and non secure alert when logging in and on the payment page. The down side is that I now get the alert when leaving the login page or after placing an order but only the first page then after that it is OK. Obviously this is not half so bad as at least I now get the padlock when entering credit card details.

[sabotage79]

Hi there. The reason we had image paths in those files, the left/right column is I for one am using the Box image mod. All my box headings use images instead of text/color. - I thank the original poster you recommended looking for direct links to images. I only had 1, and that was in my footer.php. removed the direct path to /catalog/images/image.gif and that solved it! NO MORE POP UPS!

[Val]

Hi,

 

I have an interesting problem. I have made the edits suggested by Linda, and all is fine so long as I have 'search engine friendly url's' enabled. As soon as I turn them off, I get the alert back again at checkout confirmation!

 

I am using a snapshot from 12th Nov and have edited html_output with some search engine code for removing sid's.

 

Any ideas?

 

Val

[jor_g0]

:D

For some people the scripts may work, but i realize after changing the code around like 40 times that the issue wasn't the code.

 

If you look at your catalog/include/header.php and have graphics on a folder out side the catalog/images then you are calling images out side of the secure folder, that means that some files are secure and others not, that makes the warning to come up, that also happens with the footer or any other graphic that you add to the shopping cart.

 

So the solution is very easy, change the source of your pictures to the forlder catalog/images and the warning should go away

[TeeJay]

Having had an enormous amount of trouble and following all the threads I could find on this subject I have come to the conclussion that..

The oscommerce scripts should not need changing.

 

The line that refers to (getenv) https in the scripts is using a server setting called "getenv"

If it has not been set by your hosts then the catalog will attempt to get the image files from http instead of https

 

obviously if you have modified any of the pages and made references to any other http files then you will get the same problem again, just make sure you change those or better still, use the same method that osc uses to refer to them instead of standard html

[Guest]

I tried what Linda suggested as while it did work it also made my page look terrible. It took all the color and images out and made the font huge and in bluw ( I have pink fonts) So I uploaded my backups and everything looks normal except I get that security pop up. I checked all my images and all are images/image.gif

So any other suggestions?

 

I have padlock and it goes to secure site but I hate that popup! I'm sure it'll scare ppl away!

[Fuzi0n]

I had similar problems. After trying to figure out what is wrong I found out that the " getenv('HTTPS') == 'on' " was the culprit. My server didn't return any response. I was forced to find a "work around" for my problem.

 

I had to find a command that my server does recognize. I decided to use the " $HTTP_HOST " command and it works great!!! :D

 

Replace this code in application_top.php (around line 40):

 

 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

with this:

 

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

and the padlock will appear minus broken images! :wink:

 

Just make sure that 'HTTPS_SERVER' in configuration.php is correct!

[FloydFanatic]

--

I just posted this as a new thread with the subject "suexec and SSL environment variables", however, I thought I would post it here too...

--

 

Hello,

 

I have discovered the reason many people, including myself, were having problems with images being transmitted insecurely on secure pages, leading to a browser pop-up warning message that some content is insecure.

 

The problem is that SSL environment variables do not work through suexec, which is what many ISP's (including the one I run) use to safely allow users to upload and execute their own scripts, such as osCommerce.

 

This issue comes up in three places that I have found so far, here are the locations and my workarounds.

 

1. catalog/includes/application_top.php

replace: $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

with: $request_type = (getenv('HTTPS') == 'on' or getenv('SERVER_PORT') == 443) ? 'SSL' : 'NONSSL';

 

2. admin/index.php

replace: if (getenv('HTTPS') == 'on') {

with: if (getenv('HTTPS') == 'on' or getenv('SERVER_PORT') == 443) {

 

3. admin/index.php

replace: $size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

with: $size = '128-bit';

 

 

In cases 1 and 2, I was able to get the correct functionality by using the SERVER_PORT variable instead of the HTTPS variable since the SERVER_PORT variable does work through suexec, and it an alternative way of determining if a connection is using SSL (over the standard port).

 

In case 3, I had no good workaround available, and simply hard coded the keysize to 128-bit. With suexec, the SSL_CIPHER_ALGKEYSIZE variable does not work, therefore, there is no way to determine the keysize.

 

In the future, this problem will go away. According to the changelog for Apache, located at http://www.apache.org/dist/httpd/CHANGES_2.0, suexec will correctly pass SSL environment variables as of version 2.0.32. Here is the note:

 

--------

*) suexec: Allow HTTPS and SSL_* environment variables to be passed

through to CGI scripts. PR 9163

[brian Reid <[email protected]>,

Zvi Har'El <[email protected]>]

--------

 

Considering the fact that many people running osCommerce will be running it on a shared server which likely has suexec enabled, and a widespread upgrade to Apache 2.0.x is probably a year or two away, I feel that it is important to find a solution to make osCommerce work correctly despite not being able to read SSL environment variables. Since there doesn't seem to be a great deal of dependance on these variables, I believe it can be done without too much difficulty.

 

- Robert

[kinetek]

thanks floyd. i was having this problem with one of my client's websites and your solution fixed it.

[ronlonnborg]

// define our webserver variables

// FS = Filesystem (physical)

// WS = Webserver (virtual)

define('HTTP_SERVER', 'http://cdmotorsports.net/catalog/'); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTP_CATALOG_SERVER', '');

define('HTTPS_CATALOG_SERVER', '');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

define('DIR_WS_CATALOG', '/catalog/');

define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);

define('DIR_WS_IMAGES', 'https://cdmotorsports.net/catalog/images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'https://cdmotorsports.net/catalog/images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'https://cdmotorsports.net/catalog/images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://cdmotorsports.net/catalog/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://cdmotorsports.net/catalog/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '');

define('DIR_WS_HTTPS_CATALOG', '');

define('DIR_WS_IMAGES', 'https://cdmotorsports.net/catalog/images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'https://cdmotorsports.net/catalog/icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

 

This got ride of the secure non secure pop up

[nmlloyd]

I had the problem of no gold lock on my secure pages, but resolved it by replacing all instances of

getenv('HTTPS') == 'on'

with

getenv('HTTPS') == '1'

which I found in the following files.

/includes/application_top.php

/includes/functions/general.php

 

Any other files that contain the same code should almost certainly be changed as well.

 

Basically php version 4.3.6 onwards returns '1' instead of 'on' from the getenv('HTTPS') function, therefore anyone using a recent version of PHP will have a problem but anyone using an older version will not get this problem.

 

You can check your PHP version using admin/tools/server info.

See: http://www.oscommerce.com/community/bugs,1878/status,open

[Graveyard666]

I am running on PHP 4.3.10

 

I fixed the nonsecure images and I also changed this code in application_top.php and function/general.php

 

from:

getenv('HTTPS') == 'on'

 

to:

getenv('HTTPS') == '1' or 'on'

 

I put the "or 'on'" because with just a "1" Firefox couldn't process it and it came back with errors on the page

 

Anyhow, I'm still getting the popup security box and now my gold lock is gone.

 

any ideas?

 

www.graveyardrecords.com/index.php

 

jeff

[Graveyard666]

nevermind, I got it to work finally.. stupid url to macromedia.com messing everything up :(

[amak76]

hi all

 

Just to clear things up for myself, is the only way to rid the secure/nonsecure items popup is to change the security setting in IE? None of the code modifying options is working for me.

[♥Vger]

Well, unfortunately you can't do that to the computer of everyone who visits your website - they will see the warning. There has to be either a problem with your config files, shared or full ssl settings, non-secure links on the pages, or a problem with your hosting setup.

 

Vger

hi all

 

Just  to clear things up for myself, is the only way to rid the secure/nonsecure items popup is to change the security setting in IE? None of the code modifying options is working for me.

<{POST_SNAPBACK}>

[amak76]

Thanks, I am aware of that. Looking through the code, osc sets the $request_type variable in

catalog/includes/application_top.php

by

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

since my apache HTTPS environment variable is set to on, $request_type will always be = SSL.

Now looking at

catalog/index.php

the following line of code sets the base href tag to always be https://www........

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

as my HTTP_SERVER variable is set to http://www.openware.com.au and HTTPS_SERVER variable is set to https://www.openware.com.au in the catalog/includes/configure.php file. What I dont understand is then why do the links in the page still begin with http:// and not https:// as the links set by osc use relative paths and not absolute paths.

 

Thanks

 

Well, unfortunately you can't do that to the computer of everyone who visits your website - they will see the warning.  There has to be either a problem with your config files, shared or full ssl settings, non-secure links on the pages, or a problem with your hosting setup.

 

Vger

<{POST_SNAPBACK}>

[darkvader]

Hi there. The reason we had image paths in those files, the left/right column is I for one am using the Box image mod. All my box headings use images instead of text/color. - I thank the original poster you recommended looking for direct links to images. I only had 1, and that was in my footer.php. removed the direct path to /catalog/images/image.gif and that solved it! NO MORE POP UPS!

<{POST_SNAPBACK}>

 

 

Hi,

 

Can you please provide a sample of what you did? This is killing please help :-)

 

Thanks