cobyone Posted January 14, 2009 Share Posted January 14, 2009 Hi There, I thank anyone in advance who can offer me assistance with this issue. I've coded many OSC stores, but this is the first time I've been asked to set up SSL myself and I can't seem to get things right. Problem: Navigating non-secure pages on the site is working fine (home, about us, viewing products etc). Upon clicking onto secure pages (checkout, login etc) it displays the page fine, but send the familiar alerts: FF: You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party. IE: This page contains both secure and nonsecure items. Both of which will send customers running. The first lines of my /includes/configure.php look like this (/includes/admin/configure.php is configured correctly too) define('HTTP_SERVER', 'http://www.wholesaletoner.com.au'); define('HTTPS_SERVER', 'https://www.wholesaletoner.com.au'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'www.wholesaletoner.com.au'); define('HTTPS_COOKIE_DOMAIN', 'www.wholesaletoner.com.au'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); And the $request_type section of my /includes/application_top.php look like this. (I've tried both alternative ways listed below too) // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // ORIGINAL //$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL'; //ALT1 //$request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL'; //ALT2 Things I've already tried to look at: No images are hard coded with http:// The <base> tag is being set correctly. All stylesheets and javascript are linked relatively (i.e. src="./stylesheet.css"). The source code of the secure pages (e.g. login.php) does contain lots of 'href="http://' links, but these are linking back to the non-secure sections of the site, and thus shouldn't need to be changed (unless my understanding of the way this works is incorrect, which it very well may be). Without changing the site so that EVERYTHING uses https:// (even the pages that don't require it), can anyone suggest anything that might help get rid of these SSL alerts? This site is an upgrade to an existing live site - there is currently no domain name pointing to the upgraded site. If anyone cares to have a look at the site to assist further (which would be greatly appreciated) you'll just need to make a quick addition to your hosts file: #used for previewing WTA site 117.55.237.114 wholesaletoner.com.au 117.55.237.114 www.wholesaletoner.com.au Thanks in advance for any assistance. Cheers, Coby. Link to comment Share on other sites More sharing options...
edgy Posted January 19, 2009 Share Posted January 19, 2009 Problem:Navigating non-secure pages on the site is working fine (home, about us, viewing products etc). Upon clicking onto secure pages (checkout, login etc) it displays the page fine, but send the familiar alerts: FF: You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party. IE: This page contains both secure and nonsecure items. Both of which will send customers running. I am currently trying to solve the exact same problem and my search led me to this post. Again, nothing is hardcoded that I can see - does anyone have an idea where to start? Link to comment Share on other sites More sharing options...
germ Posted January 19, 2009 Share Posted January 19, 2009 Look at the HTML source, Look for images or scripts from HTTP sources. HTTP links to images in the stylesheet will also cause this. If you can't find it PM me your URL and I'll take a crack at it if you want, ;) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
mountainviewcoins Posted January 19, 2009 Share Posted January 19, 2009 Look at the HTML source, Look for images or scripts from HTTP sources. HTTP links to images in the stylesheet will also cause this. If you can't find it PM me your URL and I'll take a crack at it if you want, ;) I have just setup my site and have the same issue. This is a standard install, so does the standard install have links to unsecured pages, outside the catalog? Also, if I change the following line define('HTTP_SERVER', 'http://www.abcdef.com'); to define('HTTP_SERVER', 'https://www.abcdef.com'); it works fine. I assume that secures the whole site. Since this works, is there anything wrong with that? I know if it not quite the way it should work, but I do not want to change a log of code on a standard install. Link to comment Share on other sites More sharing options...
germ Posted January 19, 2009 Share Posted January 19, 2009 LINKS do not cause the problem. It's when you load scripts or images from HTTP sources on HTTPS pages. Running the whole site in SSL is not a good idea (IMHO). This can also happen on osC if the code isn't picking up the cue from the server that SSL is active. If this happens none of the images show in SSL mode. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
cobyone Posted January 19, 2009 Author Share Posted January 19, 2009 Hi Jim, and thanks for your reply. Because the site doesn't currently have a domain delegated to it, i can't send you the url to check it out unless you add a couple of lines to your hosts file. What i'll do is PM you the resulting source code for what will be https://<mystore>/login.php I've looked through it, and the only http:// (non SSL) references are href parameters in anchor tags - maybe you can spot something i've missed or (more likely) you know more about ssl than I do and will spot why it's giving me grief. Thanks again for your willingness to help =) Link to comment Share on other sites More sharing options...
mountainviewcoins Posted January 19, 2009 Share Posted January 19, 2009 First, I would like to thank you for the reply to this thread. 2nd, I am not a php/web programmer so my terminology may not be always correct. That being said, I have a couple questions: Why would it not be a good idea to run SSL on the whole site? I take your word for it, but I am curious as well. For example, when I log into Fidelity.com, I “think” all pages are HTTPS. If I understand what you are saying, a SSL page is pulling images or scripts from non secure sites. Since this is a standard install, I have not changed the code so I am not sure how that could be unless there is a bug in the code. Above I mentioned that if I change that one line so that all the pages are SSL, the padlock shoes up just fine. Would that not imply the cert is working correctly? In your response you said ”This can also happen on osC if the code isn't picking up the cue from the server that SSL is active. If this happens none of the images show in SSL mode.” Any idea if that is happening how I could check and correct? A couple other comments. I am testing this on both IE and Firefox. Same results. Again, thanks for your reply Link to comment Share on other sites More sharing options...
mountainviewcoins Posted January 19, 2009 Share Posted January 19, 2009 one additional question, does any of this matter if this is in a subdomain? I bought an SSL Cert that handles subdomains but am wondering if OScommerce is having trouble with the SSL because it is in a subdomain. Any thoughts anybody? Link to comment Share on other sites More sharing options...
germ Posted January 19, 2009 Share Posted January 19, 2009 First, I would like to thank you for the reply to this thread. 2nd, I am not a php/web programmer so my terminology may not be always correct. That being said, I have a couple questions: Why would it not be a good idea to run SSL on the whole site? I take your word for it, but I am curious as well. For example, when I log into Fidelity.com, I “think” all pages are HTTPS. If I understand what you are saying, a SSL page is pulling images or scripts from non secure sites. Since this is a standard install, I have not changed the code so I am not sure how that could be unless there is a bug in the code. Above I mentioned that if I change that one line so that all the pages are SSL, the padlock shoes up just fine. Would that not imply the cert is working correctly? In your response you said ”This can also happen on osC if the code isn't picking up the cue from the server that SSL is active. If this happens none of the images show in SSL mode.” Any idea if that is happening how I could check and correct? A couple other comments. I am testing this on both IE and Firefox. Same results. Again, thanks for your reply Look at this: How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions If you still can't get it to work post again. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted January 19, 2009 Share Posted January 19, 2009 Hi Jim, and thanks for your reply. Because the site doesn't currently have a domain delegated to it, i can't send you the url to check it out unless you add a couple of lines to your hosts file. What i'll do is PM you the resulting source code for what will be https://<mystore>/login.php I've looked through it, and the only http:// (non SSL) references are href parameters in anchor tags - maybe you can spot something i've missed or (more likely) you know more about ssl than I do and will spot why it's giving me grief. Thanks again for your willingness to help =) When you get a domain delegated to it let me know if you still have problems. Until then I'm not screwing with it because the whole problem might be only because you have no domain delegated to it. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
mountainviewcoins Posted January 19, 2009 Share Posted January 19, 2009 Look at this: How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions If you still can't get it to work post again. Hi germ, thanks for the reply. The instructions link you posted are the ones I used, which makes it all the more frustrating. I have played around with adding "/" at the end of those http links as well but to no avail. I have tried define('HTTP_SERVER', 'https://subdomain.maindomain.com/'); THIS WORKS but is not desired define('HTTPS_SERVER', 'https://subdomain.maindomain.com.com/'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'subdomain.maindomain.com'); define('HTTPS_COOKIE_DOMAIN', 'subdomain.maindomain.com'); define('HTTP_SERVER', 'http://subdomain.maindomain.com/'); define('HTTPS_SERVER', 'https://subdomain.maindomain.com.com/'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'subdomain.maindomain.com/'); define('HTTPS_COOKIE_DOMAIN', 'subdomain.maindomain.com/'); define('HTTP_SERVER', 'http://subdomain.maindomain.com'); define('HTTPS_SERVER', 'https://subdomain.maindomain.com.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'subdomain.maindomain.com'); define('HTTPS_COOKIE_DOMAIN', 'subdomain.maindomain.com'); When I go to the secure page using Firefox, I can see the padlock flash ever so brief without the red mark, but the red mark then stays there just staring at me. :( Link to comment Share on other sites More sharing options...
germ Posted January 19, 2009 Share Posted January 19, 2009 I've never tried to get it to work on a subdomain, so I haven't a clue If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
cobyone Posted January 19, 2009 Author Share Posted January 19, 2009 When you get a domain delegated to it let me know if you still have problems. Until then I'm not screwing with it because the whole problem might be only because you have no domain delegated to it. The hosting server sees that in my browser the correct domain name has been typed in, and the hosting server doesn't see the difference whether it got found because of worldwide propagation or because of a local hosts file. The SSL cert is working perfectly for the domain even though its just being found (on my end) from a hosts file. I understand that you'd rather not suggest anything because there may be other factors at play (like not having the dns propagated worldwide yet) because I've been in your situation many times for other issues elsewhere. I would, however greatly appreciate it if you could presume for a two minutes that DNS is not the issue. If there is nothing in the code I sent you that you can point out, I'll gladly wait until the domain gets transferred to the new site before I try and resolve anything further. But if it is just a case of me changing a small piece of obvious code, you'd be helping me out a great deal. Link to comment Share on other sites More sharing options...
germ Posted January 20, 2009 Share Posted January 20, 2009 I think I found the problem in widget02.css background:url(http://s7.addthis.com/static/t00/mini.gif) background:url(http://s7.addthis.com/static/r04/widget02.gif Hard coded http links to images. That's a SSL killer :blush: .at15a{border:0px;padding:0px;margin:0px;width:100%;width:230px;height:0px}#at15a1{border-bottom:1px solid #eee}#at15a2{border-top:1px solid #eee}#at15s{background:#fff!important;border:1px solid #ccc!important;padding:1px!important;margin:0px!important;float:none!important;overflow:visible!important;width:230px!important;line-height:1em!important;font-family:arial,helvetica,tahoma,verdana,sans-serif!important;font-size:12px!important;text-align:left!important;color:#666!important}#at15s_head{position:relative;background:#eee;padding:4px;cursor:default}#at15s_head_brand{position:absolute;top:4px;right:4px}#at_send{background:#eee;cursor:pointer}#at_share{padding:4px}#at_share .at_item{background:#fff!important;width:104px!important;padding:2px 3px!important;float:left!important}#at_share .at_item_hover{background:#f5f5f5!important;width:104px!important;padding:2px 3px!important;color:#000!important;float:left!important}#at15s_foot{position:relative;background:#eee;height:11px}#at15s_foot span{display:block!important;position:absolute!important;top:1px!important;right:5px!important;background:url(http://s7.addthis.com/static/t00/mini.gif) no-repeat!important;width:50px!important;height:9px!important;cursor:pointer}#at_email{padding-top:5px}.at15e_row{height:28px}.at15e_row label,.at15e_row span{padding-left:10px!important;display:block!important;width:60px!important;float:left!important}.at15e_row input,.at15e_row textarea{display:block!important;width:150px!important;float:left!important;background:#fff!important;border:1px solid #ccc!important;color:#333!important;font-size:12px!important;font-weight:normal!important;padding:0pt!important}.at15t{display:block!important;height:16px!important;line-height:16px!important;padding-left:20px!important;background:url(http://s7.addthis.com/static/r04/widget02.gif) no-repeat left;cursor:pointer}.at15t_more{background-position:0px 100px}.at15t_000{background-position:0px -0px}.at15t_aim{background-position:0px -16px}.at15t_aolfav{background-position:0px -32px}.at15t_ask{background-position:0px -48px}.at15t_backflip{background-position:0px -64px}.at15t_ballhype{background-position:0px -80px}.at15t_bebo{background-position:0px -96px}.at15t_blinklist{background-position:0px -112px}.at15t_blogmarks{background-position:0px -128px}.at15t_bluedot{background-position:0px -144px}.at15t_buzz{background-position:0px -160px}.at15t_delicious{background-position:0px -176px}.at15t_digg{background-position:0px -192px}.at15t_diigo{background-position:0px -208px}.at15t_email{background-position:0px -224px}.at15t_facebook{background-position:0px -240px}.at15t_fark{background-position:0px -256px}.at15t_favorites{background-position:0px -272px}.at15t_feedmelinks{background-position:0px -288px}.at15t_friendfeed{background-position:0px -304px}.at15t_furl{background-position:0px -320px}.at15t_google{background-position:0px -336px}.at15t_kaboodle{background-position:0px -352px}.at15t_kirtsy{background-position:0px -368px}.at15t_linkagogo{background-position:0px -384px}.at15t_linkedin{background-position:0px -400px}.at15t_live{background-position:0px -416px}.at15t_magnolia{background-position:0px -432px}.at15t_misterwong{background-position:0px -448px}.at15t_mixx{background-position:0px -464px}.at15t_multiply{background-position:0px -480px}.at15t_myspace{background-position:0px -496px}.at15t_myweb{background-position:0px -512px}.at15t_netvouz{background-position:0px -528px}.at15t_newsvine{background-position:0px -544px}.at15t_pownce{background-position:0px -560px}.at15t_propeller{background-position:0px -576px}.at15t_reddit{background-position:0px -592px}.at15t_segnalo{background-position:0px -608px}.at15t_shadows{background-position:0px -624px}.at15t_simpy{background-position:0px -640px}.at15t_skrt{background-position:0px -656px}.at15t_slashdot{background-position:0px -672px}.at15t_spurl{background-position:0px -688px}.at15t_stumbleupon{background-position:0px -704px}.at15t_stylehive{background-position:0px -720px}.at15t_tailrank{background-position:0px -736px}.at15t_technorati{background-position:0px -752px}.at15t_thisnext{background-position:0px -768px}.at15t_twitter{background-position:0px -784px}.at15t_yahoobkm{background-position:0px -800px}.at15t_yardbarker{background-position:0px -816px}.at15t_netscape{background-position:0px -576px} If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
cobyone Posted January 20, 2009 Author Share Posted January 20, 2009 I think I found the problem in widget02.css background:url(http://s7.addthis.com/static/t00/mini.gif) background:url(http://s7.addthis.com/static/r04/widget02.gif Hard coded http links to images. That's a SSL killer :blush: <snip> Damn - that is one piece of CSS I totally missed. Thank you very much for pointing that out =) Link to comment Share on other sites More sharing options...
germ Posted January 20, 2009 Share Posted January 20, 2009 A little code snippet you can use to prevent "non-secure" items from screwing up SSL pages: <?php if ( $request_type != 'SSL' ) { ?> ******** DELETE THIS LINE AND PUT THE NON-SECURE CODE HERE ******** <?php } ?> If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
cobyone Posted January 20, 2009 Author Share Posted January 20, 2009 Hrmm... after removing the offending CSS references to hardcoded http:// sources, the error was still happening. After a bit of rummaging around in the code, it turns out that the Addthis widget does more to hinder CSS than just referenceing hardcoded http:// images. The way I've got around my problem is just to include the addthis widget only on the non secure pages. For anyone having similar problems with addthis, or with any other offending code (that is not mission critical mind you) you can accomplish this by using the following. <?php if($request_type == NONSSL) { ?> <!-- AddThis Button BEGIN --> <script type="text/javascript"> var addthis_pub = "<insertyouraddthisaccountname>"; </script> <a href="http://www.addthis.com/bookmark.php" onmouseover="return addthis_open(this, '', '[url]', '[TITLE]')" onmouseout="addthis_close()" onclick="return addthis_sendto()"><?php echo tep_image(DIR_WS_IMAGES . 'lg-share-en.gif', "", 125, 16); ?></a> <script type="text/javascript" src="./js/addthis_widget.js"></script> <!-- AddThis Button END --> <?php } ?> Thanks Jim for pointing out that it was the addthis widget causing the error, your help is greatly appreciated. I hope this helps someone else out in the future, too. Link to comment Share on other sites More sharing options...
cobyone Posted January 20, 2009 Author Share Posted January 20, 2009 A little code snippet you can use to prevent "non-secure" items from screwing up SSL pages: <snip> Only saw your post after my last one - thats exactly what I did. Thanks again. Link to comment Share on other sites More sharing options...
The ANT man Posted September 29, 2010 Share Posted September 29, 2010 Hey Germ Can you please tell me whats causing the popup meesage on my website: My link many thanks Link to comment Share on other sites More sharing options...
germ Posted September 29, 2010 Share Posted September 29, 2010 The video in the left column is at least part of the problem. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
The ANT man Posted September 29, 2010 Share Posted September 29, 2010 The video in the left column is at least part of the problem. thanks germy, i shall remove it! Link to comment Share on other sites More sharing options...
germ Posted September 30, 2010 Share Posted September 30, 2010 Or you could do this If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
donnard Posted October 9, 2010 Share Posted October 9, 2010 Hrmm... after removing the offending CSS references to hardcoded http:// sources, the error was still happening. After a bit of rummaging around in the code, it turns out that the Addthis widget does more to hinder CSS than just referenceing hardcoded http:// images. The way I've got around my problem is just to include the addthis widget only on the non secure pages. For anyone having similar problems with addthis, or with any other offending code (that is not mission critical mind you) you can accomplish this by using the following. <?php if($request_type == NONSSL) { ?> <!-- AddThis Button BEGIN --> <script type="text/javascript"> var addthis_pub = "<insertyouraddthisaccountname>"; </script> <a href="http://www.addthis.com/bookmark.php" onmouseover="return addthis_open(this, '', '[url]', '[TITLE]')" onmouseout="addthis_close()" onclick="return addthis_sendto()"><?php echo tep_image(DIR_WS_IMAGES . 'lg-share-en.gif', "", 125, 16); ?></a> <script type="text/javascript" src="./js/addthis_widget.js"></script> <!-- AddThis Button END --> <?php } ?> Thanks Jim for pointing out that it was the addthis widget causing the error, your help is greatly appreciated. I hope this helps someone else out in the future, too. Hi All. Had the same problem with the ADDTHIS widget. Went to the ADDTHIS website and in the help section, it stated to just change the "http:" reference to "https:"... Tried it on my template and it worked just fine! Happy coder I am now! Follow the link to the ADDTHIS help section. Link to comment Share on other sites More sharing options...
MrPhil Posted October 11, 2010 Share Posted October 11, 2010 If the code and files you are referencing are on your site, then they're probably available under https:. An SSL certificate usually covers an entire domain (mystore.com or www.mystore.com or store.mysite.com) -- you can get certificates that cover all subdomains (wildcard) too. In any case, simply changing http: to https: should do the trick. If the page or item you're referencing is on another site (not covered by your SSL certificate), and not covered by its own site SSL certificate (and thus accessible as https:), you have to access it with http:, and thus can't put it on your https: pages. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.