ucpros Posted February 20, 2003 Share Posted February 20, 2003 I've read the dozens of postings of people reporting issues with shared SSL connections and strange browser warning messages, but none of those discussions cover the issues I'm running into now. I also have to offer some insight on browser SSL warning messages based on my research. Before covering my problems, some background on my setup and the way Microsoft IE handles SSL warnings I'm on a shared SSL certificate where nonSSL pages are served from: mystore.mydomain.com SSL pages are served from: mystore.myISPprovider.com osCommerce config files are set accordingly and SSL is working with no problems. IE default setting is to warn on "form submittals being redirected" So anytime a form is contained on an SSL page and that page then redirects to a nonSSL page, IE pops up a warning: "You are being redirected to an unsecure site....". This is because the top domain for my nonSSL page (mydomain.com) is different from my SSL top domain (myISPprovider.com) This warning message can of course be enabled/disabled in IE under Tools|Internet Settings| Advanced| "Warn if forms submittal is being redirected". But as probably 70%+ of users never bother to change the IE default settings, this is not really a viable solution and looks imho very unprofessional. There is actually a way this CAN be addressed in the osCommerce code and fixed for ALL users of IE, by "simply" making sure that any SSL page that contains forms never is redirected to a nonSSL page. There are two pages in osCOmmerce that are affected by this: catalog/login.php and catalog/checkout_success.php The login.php file if called from the main page (default.php) by clicking on the "sign-in here" link, opens an SSL page that contains the "email address" and "password" form fields. If you click on Sign-In after entering your login information you're being redirected to default.php (main page) - a non SSL page. This can be fixed in the login.php code by making a simple change that redirects to default.php as a SSL connection instead of a nonSSL connection. Find code: //restore cart contents $cart->restore_contents(); if (sizeof($navigation->snapshot) > 0) { $origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name())), $navigation->snapshot['mode']); $navigation->clear_snapshot(); tep_redirect($origin_href); } else { tep_redirect(tep_href_link(FILENAME_DEFAULT)); and change the last 3 lines to: tep_redirect($origin_href,'',SSL); } else { tep_redirect(tep_href_link(FILENAME_DEFAULT,'',SSL)); Bingo, no more IE SSL warning message. catalog/checkout_success.php is the page that is displayed at the very end of a customer placing a successful order. In the version I have this page contains a form "comment" field that allows customers to enter comments. Again this page is served as an SSL page and after clicking "continue" redirects to the nonSSL default.php (main) page. However, for some wired reason the fix I have described above for the login.php page does NOT work with the checkout_success page. Maybe someone here can shed some light on this. Here is the catalog.checkout_success.php code in question: $notify_string = ''; if (tep_session_is_registered('customer_id')) { $notify_string .= 'action=notify&'; $notify = $HTTP_POST_VARS['notify']; if (!is_array($notify)) $notify = array($notify); $n = sizeof($notify); for ($i=0; $i<$n; $i++) { $notify_string .= 'notify[]=' . $notify[$i] . '&'; } if (strlen($notify_string) > 0) $notify_string = substr($notify_string, 0, -1); } tep_redirect(tep_href_link(FILENAME_DEFAULT,$notify_string)); If changing the last line of code to: tep_redirect(tep_href_link(FILENAME_DEFAULT,$notify_string,SSL)); the code STILL redirects to a NONSSL default.php page instead of a SSL default.php page as expected. Consequently IE still pops up the Redirect warning message. If, I however change the code (for test) to: tep_redirect(tep_href_link(FILENAME_DEFAULT,'',SSL)); everything works as expected, we are being redirect to a SSL default page and no IE warning pops up So the only difference between working and non-working version is the "$notify_string" My questions: * Can anyone explain what the above $notify_string code is being used for? What is the functionality impact on osCommerce if $notify_string is not being passed back to default.php as in the original tep_redirect statement? * Anyone any ideas why the tep_redirect or tep_href_link functions get confused with the $notify_string and do NOT establish an SSL link as expected, but work just fine when $notify_string is omitted? Is this a bug in the tep_functions or a configuration issue? If the later, where to look? Link to comment Share on other sites More sharing options...
Guest Posted February 20, 2003 Share Posted February 20, 2003 Has to do with notifications - there is a checkbox...correct? Link to comment Share on other sites More sharing options...
ucpros Posted February 20, 2003 Author Share Posted February 20, 2003 Has to do with notifications - there is a checkbox...correct? Yep, as detailed in my post: This warning message can of course be enabled/disabled in IE under Tools|Internet Settings| Advanced| "Warn if forms submittal is being redirected". But as probably 70%+ of users never bother to change the IE default settings, this is not really a viable solution and looks imho very unprofessional. There is actually a way this CAN be addressed in the osCommerce code....? Link to comment Share on other sites More sharing options...
medisave Posted February 20, 2003 Share Posted February 20, 2003 http://www.oscommerce.com/forums/viewtopic.php?t=25902 Graham Wright ________________ Link to comment Share on other sites More sharing options...
Guest Posted February 20, 2003 Share Posted February 20, 2003 What I meant was the the code has to do with notifications in the checkout process Link to comment Share on other sites More sharing options...
ucpros Posted February 20, 2003 Author Share Posted February 20, 2003 Graham & Johnson, thanks so much for your help. Graham, the topic you referenced me to had the missing bit of info. I did not realize that checkout_success with action=notify gets processed in application_top. Changing that to SSL fixes my problem. Thanks again. Volker Link to comment Share on other sites More sharing options...
medisave Posted March 3, 2003 Share Posted March 3, 2003 Hi, Volker could you post your soultion please just realised that I suffer from the checkout_success warning too! Cheers, Graham Wright ________________ Link to comment Share on other sites More sharing options...
ucpros Posted March 4, 2003 Author Share Posted March 4, 2003 Graham, to get rid of the redirect warning on checkout_success: in includes/application_top.php I changed code (this code is identical to the original, with the exception that two occurences of "NONSSL' have been changed to 'SSL': //VS changed to suppress IE redirect warning tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')), 'SSL')); } if (!is_array($notify)) $notify = array($notify); $size = sizeof($notify); for ($i=0; $i<$size; $i++) { $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'"); $check = tep_db_fetch_array($check_query); if ($check['count'] < 1) { tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())"); } } //VS changed to surpress IE redirect warnings tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')), 'SSL')); } else { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } break; in catalog/checkout_success.php find below code and change 'NONSSL' to 'SSL': $notify_string = ''; if (tep_session_is_registered('customer_id')) { $notify_string .= 'action=notify&'; $notify = $HTTP_POST_VARS['notify']; if (!is_array($notify)) $notify = array($notify); $n = sizeof($notify); for ($i=0; $i<$n; $i++) { $notify_string .= 'notify[]=' . $notify[$i] . '&'; } if (strlen($notify_string) > 0) $notify_string = substr($notify_string, 0, -1); } //VS changed to SSL to suppress IE redirect warning tep_redirect(tep_href_link(FILENAME_DEFAULT,$notify_string,SSL)); Link to comment Share on other sites More sharing options...
ucpros Posted March 4, 2003 Author Share Posted March 4, 2003 oops, make that THREE occurrences of 'SSL' in the first piece of code Link to comment Share on other sites More sharing options...
Guest Posted April 27, 2003 Share Posted April 27, 2003 ucpros, I tried the last 3 lines of code for login.php and something very strange happened. my .htaccess file blew out, so when people went to the cart, it listed the contents of the files instead of the cart. Although, it should direct to default.php??? Very strange. so I added the lines DirectoryIndex default.php index.php index.htm index.html back to my .htaccess, placed it in my /scart and restored a backup of login.php and everything was fixed again. I admit, I hate having the MS warning come up, but a dead cart be no good. Perhaps my hosting site killed it at the exact same moment and it was pure coincidence...unless anyone has had this happen, just curious and would really like the MS warning to split. Cheers. Link to comment Share on other sites More sharing options...
M@rcel Posted April 27, 2003 Share Posted April 27, 2003 The whole issue was fixed in CVS a long time ago by changing tep_href_link function in catalog/includes/functions/html_output.php. Basiccally the change checks whether the current node is ssl. If it is it always returns links to ssl-pages. I have not seen any warnings after that. Just be sure to use the functione everywhere. Greetings from Marcel |Current version|Documentation|Contributions| Link to comment Share on other sites More sharing options...
ucpros Posted May 6, 2003 Author Share Posted May 6, 2003 sirvipe, make sure '' in the lines to be changed in login.php are TWO single quotes back to back, not one double quote. Other than that I wouldn't know what that change could possibly destroy your .htaccess file. Link to comment Share on other sites More sharing options...
Guest Posted May 9, 2003 Share Posted May 9, 2003 ucpros, That worked. I'm understanding PHP these days and realise apostrophe's are used in the code, even though someone may have used quotations, or appeared a such. No more 'display insecure items', Thank GOD! Thanks. Link to comment Share on other sites More sharing options...
Guest Posted April 18, 2006 Share Posted April 18, 2006 Brilliant, thank you. You're a life saver... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.