Question on security warnings

[birdmantx]

I have a question on security warnings. When my sister visits my website from her work computer it gives the warning: This page contains both secure and non secure items. (choose which you want to view) She can select only secure and it shows everything the non secure page does??? When I use any of my computers I dont even get this message.

 

What would cause one person or computer to see a waning message and not another?

 

I run a SSL on every page so I would hope everything is secure. Any help would be appreciated.

 

Sam

[♥ecartz]

What would cause one person or computer to see a waning message and not another?

Different security settings. In particular, work places often use more secure settings than do home computers. It can also happen due to different browsers. Try using the same browser (e.g. IE 7) as your sister with the security settings turned up to High.

 

Without a link, it's hard to give specifics, but you would be looking for things that say src="http: in the HTML or that have http: in stylesheet.css or something in javascript.

[MrPhil]

I agree with ecartz that it's different browser security settings -- your sister's browser is configured to be stricter than yours, squawking when it sees http: items (such as images) on a https: (secure) page.

 

I run a SSL on every page so I would hope everything is secure.

 

Why? That's an odd thing to do. Usually, SSL (https:) pages are reserved for sensitive personal or financial information (address, ID numbers, credit card numbers, etc.). Maybe if you had a store selling, say, extremely "kinky" merchandise, or medical devices that might indicate something about them they'd like to keep private, customers would want every page encrypted, but other than that, what's the point? Keep in mind that having SSL on every page is not only slower, but dulls a customer's appreciation of the protection (it fades into the background), as opposed to having it quite noticeable on pages where customer personal data or financial data is shown. If you don't need to protect the information on a particular page, there's no need to put it under SSL. osCommerce is set up to put a lot of http: (non-SSL) links on pages which are not normally under SSL, so you will need to modify a lot of code to get rid of the browser warnings. Rather than modifying each page, you might just modify the various utility routines (tep_href_link, tep_image, etc.) to force SSL on everything they touch. That would be less work, if you absolutely must have SSL everywhere.