Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL - Alert about both secure & non-secure items


cobyone

Recommended Posts

Hi There,

 

I thank anyone in advance who can offer me assistance with this issue.

I've coded many OSC stores, but this is the first time I've been asked to set up SSL myself and I can't seem to get things right.

 

Problem:

Navigating non-secure pages on the site is working fine (home, about us, viewing products etc). Upon clicking onto secure pages (checkout, login etc) it displays the page fine, but send the familiar alerts:

 

FF: You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.

IE: This page contains both secure and nonsecure items.

 

Both of which will send customers running.

 

The first lines of my /includes/configure.php look like this (/includes/admin/configure.php is configured correctly too)

  define('HTTP_SERVER', 'http://www.wholesaletoner.com.au');
 define('HTTPS_SERVER', 'https://www.wholesaletoner.com.au');
 define('ENABLE_SSL', true);
 define('HTTP_COOKIE_DOMAIN', 'www.wholesaletoner.com.au');
 define('HTTPS_COOKIE_DOMAIN', 'www.wholesaletoner.com.au');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');

 

And the $request_type section of my /includes/application_top.php look like this. (I've tried both alternative ways listed below too)

// set the type of request (secure or not)
$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // ORIGINAL
//$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';	//ALT1
//$request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';		//ALT2

 

Things I've already tried to look at:

  • No images are hard coded with http://
  • The <base> tag is being set correctly.
  • All stylesheets and javascript are linked relatively (i.e. src="./stylesheet.css").

 

The source code of the secure pages (e.g. login.php) does contain lots of 'href="http://' links, but these are linking back to the non-secure sections of the site, and thus shouldn't need to be changed (unless my understanding of the way this works is incorrect, which it very well may be).

 

Without changing the site so that EVERYTHING uses https:// (even the pages that don't require it), can anyone suggest anything that might help get rid of these SSL alerts?

 

This site is an upgrade to an existing live site - there is currently no domain name pointing to the upgraded site. If anyone cares to have a look at the site to assist further (which would be greatly appreciated) you'll just need to make a quick addition to your hosts file:

#used for previewing WTA site
117.55.237.114	wholesaletoner.com.au
117.55.237.114	www.wholesaletoner.com.au

 

Thanks in advance for any assistance.

 

Cheers,

Coby.

Link to comment
Share on other sites

Problem:

Navigating non-secure pages on the site is working fine (home, about us, viewing products etc). Upon clicking onto secure pages (checkout, login etc) it displays the page fine, but send the familiar alerts:

 

FF: You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.

IE: This page contains both secure and nonsecure items.

 

Both of which will send customers running.

 

I am currently trying to solve the exact same problem and my search led me to this post. Again, nothing is hardcoded that I can see - does anyone have an idea where to start?

Link to comment
Share on other sites

Look at the HTML source,

 

Look for images or scripts from HTTP sources.

 

HTTP links to images in the stylesheet will also cause this.

 

If you can't find it PM me your URL and I'll take a crack at it if you want,

;)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Look at the HTML source,

 

Look for images or scripts from HTTP sources.

 

HTTP links to images in the stylesheet will also cause this.

 

If you can't find it PM me your URL and I'll take a crack at it if you want,

;)

 

 

I have just setup my site and have the same issue. This is a standard install, so does the standard install have links to unsecured pages, outside the catalog?

 

Also, if I change the following line

 

define('HTTP_SERVER', 'http://www.abcdef.com');

 

to

 

define('HTTP_SERVER', 'https://www.abcdef.com');

 

it works fine. I assume that secures the whole site.

Since this works, is there anything wrong with that? I know if it not quite the way it should work, but I do not want to change a log of code on a standard install.

Link to comment
Share on other sites

LINKS do not cause the problem.

 

It's when you load scripts or images from HTTP sources on HTTPS pages.

 

Running the whole site in SSL is not a good idea (IMHO).

 

This can also happen on osC if the code isn't picking up the cue from the server that SSL is active. If this happens none of the images show in SSL mode.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi Jim, and thanks for your reply. Because the site doesn't currently have a domain delegated to it, i can't send you the url to check it out unless you add a couple of lines to your hosts file.

 

What i'll do is PM you the resulting source code for what will be https://<mystore>/login.php

 

I've looked through it, and the only http:// (non SSL) references are href parameters in anchor tags - maybe you can spot something i've missed or (more likely) you know more about ssl than I do and will spot why it's giving me grief.

 

Thanks again for your willingness to help =)

Link to comment
Share on other sites

First, I would like to thank you for the reply to this thread.

 

2nd, I am not a php/web programmer so my terminology may not be always correct. That being said, I have a couple questions:

 

Why would it not be a good idea to run SSL on the whole site? I take your word for it, but I am curious as well. For example, when I log into Fidelity.com, I “think” all pages are HTTPS.

 

If I understand what you are saying, a SSL page is pulling images or scripts from non secure sites. Since this is a standard install, I have not changed the code so I am not sure how that could be unless there is a bug in the code.

 

Above I mentioned that if I change that one line so that all the pages are SSL, the padlock shoes up just fine. Would that not imply the cert is working correctly?

 

In your response you said

 

”This can also happen on osC if the code isn't picking up the cue from the server that SSL is active. If this happens none of the images show in SSL mode.”

 

Any idea if that is happening how I could check and correct?

 

A couple other comments. I am testing this on both IE and Firefox. Same results.

 

Again, thanks for your reply

Link to comment
Share on other sites

First, I would like to thank you for the reply to this thread.

 

2nd, I am not a php/web programmer so my terminology may not be always correct. That being said, I have a couple questions:

 

Why would it not be a good idea to run SSL on the whole site? I take your word for it, but I am curious as well. For example, when I log into Fidelity.com, I “think” all pages are HTTPS.

 

If I understand what you are saying, a SSL page is pulling images or scripts from non secure sites. Since this is a standard install, I have not changed the code so I am not sure how that could be unless there is a bug in the code.

 

Above I mentioned that if I change that one line so that all the pages are SSL, the padlock shoes up just fine. Would that not imply the cert is working correctly?

 

In your response you said

 

”This can also happen on osC if the code isn't picking up the cue from the server that SSL is active. If this happens none of the images show in SSL mode.”

 

Any idea if that is happening how I could check and correct?

 

A couple other comments. I am testing this on both IE and Firefox. Same results.

 

Again, thanks for your reply

Look at this:

 

How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions

 

If you still can't get it to work post again.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi Jim, and thanks for your reply. Because the site doesn't currently have a domain delegated to it, i can't send you the url to check it out unless you add a couple of lines to your hosts file.

 

What i'll do is PM you the resulting source code for what will be https://<mystore>/login.php

 

I've looked through it, and the only http:// (non SSL) references are href parameters in anchor tags - maybe you can spot something i've missed or (more likely) you know more about ssl than I do and will spot why it's giving me grief.

 

Thanks again for your willingness to help =)

When you get a domain delegated to it let me know if you still have problems.

 

Until then I'm not screwing with it because the whole problem might be only because you have no domain delegated to it.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Look at this:

 

How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions

 

If you still can't get it to work post again.

 

Hi germ, thanks for the reply. The instructions link you posted are the ones I used, which makes it all the more frustrating. I have played around with adding "/" at the end of those http links as well but to no avail.

 

I have tried

 

define('HTTP_SERVER', 'https://subdomain.maindomain.com/'); THIS WORKS but is not desired

define('HTTPS_SERVER', 'https://subdomain.maindomain.com.com/');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'subdomain.maindomain.com');

define('HTTPS_COOKIE_DOMAIN', 'subdomain.maindomain.com');

 

 

 

define('HTTP_SERVER', 'http://subdomain.maindomain.com/');

define('HTTPS_SERVER', 'https://subdomain.maindomain.com.com/');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'subdomain.maindomain.com/');

define('HTTPS_COOKIE_DOMAIN', 'subdomain.maindomain.com/');

 

define('HTTP_SERVER', 'http://subdomain.maindomain.com');

define('HTTPS_SERVER', 'https://subdomain.maindomain.com.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'subdomain.maindomain.com');

define('HTTPS_COOKIE_DOMAIN', 'subdomain.maindomain.com');

 

When I go to the secure page using Firefox, I can see the padlock flash ever so brief without the red mark, but the red mark then stays there just staring at me.

:(

Link to comment
Share on other sites

I've never tried to get it to work on a subdomain, so I haven't a clue

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

When you get a domain delegated to it let me know if you still have problems.

 

Until then I'm not screwing with it because the whole problem might be only because you have no domain delegated to it.

 

The hosting server sees that in my browser the correct domain name has been typed in, and the hosting server doesn't see the difference whether it got found because of worldwide propagation or because of a local hosts file. The SSL cert is working perfectly for the domain even though its just being found (on my end) from a hosts file. I understand that you'd rather not suggest anything because there may be other factors at play (like not having the dns propagated worldwide yet) because I've been in your situation many times for other issues elsewhere.

 

I would, however greatly appreciate it if you could presume for a two minutes that DNS is not the issue. If there is nothing in the code I sent you that you can point out, I'll gladly wait until the domain gets transferred to the new site before I try and resolve anything further. But if it is just a case of me changing a small piece of obvious code, you'd be helping me out a great deal.

Link to comment
Share on other sites

I think I found the problem in widget02.css

 

background:url(http://s7.addthis.com/static/t00/mini.gif)

background:url(http://s7.addthis.com/static/r04/widget02.gif

 

Hard coded http links to images.

 

That's a SSL killer

:blush:

 

.at15a{border:0px;padding:0px;margin:0px;width:100%;width:230px;height:0px}#at15a1{border-bottom:1px solid #eee}#at15a2{border-top:1px solid #eee}#at15s{background:#fff!important;border:1px solid #ccc!important;padding:1px!important;margin:0px!important;float:none!important;overflow:visible!important;width:230px!important;line-height:1em!important;font-family:arial,helvetica,tahoma,verdana,sans-serif!important;font-size:12px!important;text-align:left!important;color:#666!important}#at15s_head{position:relative;background:#eee;padding:4px;cursor:default}#at15s_head_brand{position:absolute;top:4px;right:4px}#at_send{background:#eee;cursor:pointer}#at_share{padding:4px}#at_share .at_item{background:#fff!important;width:104px!important;padding:2px 3px!important;float:left!important}#at_share .at_item_hover{background:#f5f5f5!important;width:104px!important;padding:2px 3px!important;color:#000!important;float:left!important}#at15s_foot{position:relative;background:#eee;height:11px}#at15s_foot span{display:block!important;position:absolute!important;top:1px!important;right:5px!important;background:url(http://s7.addthis.com/static/t00/mini.gif) no-repeat!important;width:50px!important;height:9px!important;cursor:pointer}#at_email{padding-top:5px}.at15e_row{height:28px}.at15e_row label,.at15e_row span{padding-left:10px!important;display:block!important;width:60px!important;float:left!important}.at15e_row input,.at15e_row textarea{display:block!important;width:150px!important;float:left!important;background:#fff!important;border:1px solid #ccc!important;color:#333!important;font-size:12px!important;font-weight:normal!important;padding:0pt!important}.at15t{display:block!important;height:16px!important;line-height:16px!important;padding-left:20px!important;background:url(http://s7.addthis.com/static/r04/widget02.gif) no-repeat left;cursor:pointer}.at15t_more{background-position:0px 100px}.at15t_000{background-position:0px -0px}.at15t_aim{background-position:0px -16px}.at15t_aolfav{background-position:0px -32px}.at15t_ask{background-position:0px -48px}.at15t_backflip{background-position:0px -64px}.at15t_ballhype{background-position:0px -80px}.at15t_bebo{background-position:0px -96px}.at15t_blinklist{background-position:0px -112px}.at15t_blogmarks{background-position:0px -128px}.at15t_bluedot{background-position:0px -144px}.at15t_buzz{background-position:0px -160px}.at15t_delicious{background-position:0px -176px}.at15t_digg{background-position:0px -192px}.at15t_diigo{background-position:0px -208px}.at15t_email{background-position:0px -224px}.at15t_facebook{background-position:0px -240px}.at15t_fark{background-position:0px -256px}.at15t_favorites{background-position:0px -272px}.at15t_feedmelinks{background-position:0px -288px}.at15t_friendfeed{background-position:0px -304px}.at15t_furl{background-position:0px -320px}.at15t_google{background-position:0px -336px}.at15t_kaboodle{background-position:0px -352px}.at15t_kirtsy{background-position:0px -368px}.at15t_linkagogo{background-position:0px -384px}.at15t_linkedin{background-position:0px -400px}.at15t_live{background-position:0px -416px}.at15t_magnolia{background-position:0px -432px}.at15t_misterwong{background-position:0px -448px}.at15t_mixx{background-position:0px -464px}.at15t_multiply{background-position:0px -480px}.at15t_myspace{background-position:0px -496px}.at15t_myweb{background-position:0px -512px}.at15t_netvouz{background-position:0px -528px}.at15t_newsvine{background-position:0px -544px}.at15t_pownce{background-position:0px -560px}.at15t_propeller{background-position:0px -576px}.at15t_reddit{background-position:0px -592px}.at15t_segnalo{background-position:0px -608px}.at15t_shadows{background-position:0px -624px}.at15t_simpy{background-position:0px -640px}.at15t_skrt{background-position:0px -656px}.at15t_slashdot{background-position:0px -672px}.at15t_spurl{background-position:0px -688px}.at15t_stumbleupon{background-position:0px -704px}.at15t_stylehive{background-position:0px -720px}.at15t_tailrank{background-position:0px -736px}.at15t_technorati{background-position:0px -752px}.at15t_thisnext{background-position:0px -768px}.at15t_twitter{background-position:0px -784px}.at15t_yahoobkm{background-position:0px -800px}.at15t_yardbarker{background-position:0px -816px}.at15t_netscape{background-position:0px -576px}

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I think I found the problem in widget02.css

 

background:url(http://s7.addthis.com/static/t00/mini.gif)

background:url(http://s7.addthis.com/static/r04/widget02.gif

 

Hard coded http links to images.

 

That's a SSL killer

:blush:

 

<snip>

 

Damn - that is one piece of CSS I totally missed. Thank you very much for pointing that out =)

Link to comment
Share on other sites

A little code snippet you can use to prevent "non-secure" items from screwing up SSL pages:

 

<?php
 if ( $request_type != 'SSL' ) {
?>

******** DELETE THIS LINE AND PUT THE NON-SECURE CODE HERE ********

<?php
 }
?>

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hrmm... after removing the offending CSS references to hardcoded http:// sources, the error was still happening.

 

After a bit of rummaging around in the code, it turns out that the Addthis widget does more to hinder CSS than just referenceing hardcoded http:// images.

 

The way I've got around my problem is just to include the addthis widget only on the non secure pages. For anyone having similar problems with addthis, or with any other offending code (that is not mission critical mind you) you can accomplish this by using the following.

 

<?php if($request_type == NONSSL) { ?>
<!-- AddThis Button BEGIN -->
<script type="text/javascript">
var addthis_pub = "<insertyouraddthisaccountname>";
</script>
<a href="http://www.addthis.com/bookmark.php" onmouseover="return addthis_open(this, '', '[url]', '[TITLE]')" onmouseout="addthis_close()" onclick="return addthis_sendto()"><?php echo tep_image(DIR_WS_IMAGES . 'lg-share-en.gif', "", 125, 16); ?></a>
<script type="text/javascript" src="./js/addthis_widget.js"></script>
<!-- AddThis Button END -->
<?php } ?>

 

Thanks Jim for pointing out that it was the addthis widget causing the error, your help is greatly appreciated. I hope this helps someone else out in the future, too.

Link to comment
Share on other sites

  • 1 year later...

The video in the left column is at least part of the problem.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Or you could do this

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 2 weeks later...

Hrmm... after removing the offending CSS references to hardcoded http:// sources, the error was still happening.

 

After a bit of rummaging around in the code, it turns out that the Addthis widget does more to hinder CSS than just referenceing hardcoded http:// images.

 

The way I've got around my problem is just to include the addthis widget only on the non secure pages. For anyone having similar problems with addthis, or with any other offending code (that is not mission critical mind you) you can accomplish this by using the following.

 

<?php if($request_type == NONSSL) { ?>
<!-- AddThis Button BEGIN -->
<script type="text/javascript">
var addthis_pub = "<insertyouraddthisaccountname>";
</script>
<a href="http://www.addthis.com/bookmark.php" onmouseover="return addthis_open(this, '', '[url]', '[TITLE]')" onmouseout="addthis_close()" onclick="return addthis_sendto()"><?php echo tep_image(DIR_WS_IMAGES . 'lg-share-en.gif', "", 125, 16); ?></a>
<script type="text/javascript" src="./js/addthis_widget.js"></script>
<!-- AddThis Button END -->
<?php } ?>

 

Thanks Jim for pointing out that it was the addthis widget causing the error, your help is greatly appreciated. I hope this helps someone else out in the future, too.

 

Hi All.

 

Had the same problem with the ADDTHIS widget. Went to the ADDTHIS website and in the help section, it stated to just change the "http:" reference to "https:"... Tried it on my template and it worked just fine! Happy coder I am now!

 

Follow the link to the ADDTHIS help section.

Link to comment
Share on other sites

If the code and files you are referencing are on your site, then they're probably available under https:. An SSL certificate usually covers an entire domain (mystore.com or www.mystore.com or store.mysite.com) -- you can get certificates that cover all subdomains (wildcard) too. In any case, simply changing http: to https: should do the trick. If the page or item you're referencing is on another site (not covered by your SSL certificate), and not covered by its own site SSL certificate (and thus accessible as https:), you have to access it with http:, and thus can't put it on your https: pages.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...