Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Internet Explorer SSL warnings & osC tep_redirect functi


ucpros

Recommended Posts

I've read the dozens of postings of people reporting issues with

shared SSL connections and strange browser warning messages, but none

of those discussions cover the issues I'm running into now.

 

I also have to offer some insight on browser SSL warning messages

based on my research. Before covering my problems, some background

on my setup and the way Microsoft IE handles SSL warnings

 

I'm on a shared SSL certificate where

nonSSL pages are served from: mystore.mydomain.com

SSL pages are served from: mystore.myISPprovider.com

 

osCommerce config files are set accordingly and SSL is working with

no problems.

 

IE default setting is to warn on "form submittals being redirected"

So anytime a form is contained on an SSL page and that page then redirects

to a nonSSL page, IE pops up a warning: "You are being redirected to an unsecure

site....".

This is because the top domain for my nonSSL page (mydomain.com) is different from

my SSL top domain (myISPprovider.com)

 

This warning message can of course be enabled/disabled in IE under Tools|Internet Settings|

Advanced| "Warn if forms submittal is being redirected".

 

But as probably 70%+ of users never bother to change the IE default settings,

this is not really a viable solution and looks imho very unprofessional.

 

There is actually a way this CAN be addressed in the osCommerce code

and fixed for ALL users of IE, by "simply" making sure that any SSL page that

contains forms never is redirected to a nonSSL page. There are two pages in

osCOmmerce that are affected by this: catalog/login.php and catalog/checkout_success.php

 

The login.php file if called from the main page (default.php) by clicking on the

"sign-in here" link, opens an SSL page that contains the "email address" and "password"

form fields. If you click on Sign-In after entering your login information you're being

redirected to default.php (main page) - a non SSL page.

 

This can be fixed in the login.php code by making a simple change that redirects to

default.php as a SSL connection instead of a nonSSL connection.

Find code:

//restore cart contents

$cart->restore_contents();

 

if (sizeof($navigation->snapshot) > 0) {

$origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name())), $navigation->snapshot['mode']);

$navigation->clear_snapshot();

tep_redirect($origin_href);

} else {

tep_redirect(tep_href_link(FILENAME_DEFAULT));

 

and change the last 3 lines to:

 

tep_redirect($origin_href,'',SSL);

} else {

tep_redirect(tep_href_link(FILENAME_DEFAULT,'',SSL));

 

Bingo, no more IE SSL warning message.

 

catalog/checkout_success.php is the page that is displayed at the very end of a customer

placing a successful order. In the version I have this page contains a form "comment" field that

allows customers to enter comments. Again this page is served as an SSL page and after clicking

"continue" redirects to the nonSSL default.php (main) page.

 

However, for some wired reason the fix I have described above for the login.php

page does NOT work with the checkout_success page. Maybe someone here can shed some light on this.

Here is the catalog.checkout_success.php code in question:

 

$notify_string = '';

if (tep_session_is_registered('customer_id')) {

$notify_string .= 'action=notify&';

$notify = $HTTP_POST_VARS['notify'];

if (!is_array($notify)) $notify = array($notify);

$n = sizeof($notify);

for ($i=0; $i<$n; $i++) {

$notify_string .= 'notify[]=' . $notify[$i] . '&';

}

if (strlen($notify_string) > 0) $notify_string = substr($notify_string, 0, -1);

}

tep_redirect(tep_href_link(FILENAME_DEFAULT,$notify_string));

 

 

If changing the last line of code to:

 

tep_redirect(tep_href_link(FILENAME_DEFAULT,$notify_string,SSL));

 

the code STILL redirects to a NONSSL default.php page instead of a SSL default.php page

as expected. Consequently IE still pops up the Redirect warning message.

 

If, I however change the code (for test) to:

 

tep_redirect(tep_href_link(FILENAME_DEFAULT,'',SSL));

 

everything works as expected, we are being redirect to a SSL default page

and no IE warning pops up

 

So the only difference between working and non-working version is the "$notify_string"

 

My questions:

* Can anyone explain what the above $notify_string code is being used for?

What is the functionality impact on osCommerce if $notify_string is not being passed

back to default.php as in the original tep_redirect statement?

 

* Anyone any ideas why the tep_redirect or tep_href_link functions get confused

with the $notify_string and do NOT establish an SSL link as expected, but work just fine

when $notify_string is omitted? Is this a bug in the tep_functions or a configuration issue?

If the later, where to look?

Link to comment
Share on other sites

Has to do with notifications - there is a checkbox...correct?

 

Yep, as detailed in my post:

This warning message can of course be enabled/disabled in IE under Tools|Internet Settings|  

Advanced| "Warn if forms submittal is being redirected".  

 

But as probably 70%+ of users never bother to change the IE default settings,  

this is not really a viable solution and looks imho very unprofessional.  

 

There is actually a way this CAN be addressed in the osCommerce code....?

Link to comment
Share on other sites

Graham & Johnson,

thanks so much for your help. Graham, the topic you referenced me to had the missing bit of info. I did not realize that checkout_success with action=notify gets processed in application_top. Changing that to SSL fixes my problem.

Thanks again.

Volker

Link to comment
Share on other sites

  • 2 weeks later...

Graham, to get rid of the redirect warning on checkout_success:

 

in includes/application_top.php I changed code (this code is identical to the original, with the exception that two occurences of "NONSSL' have been changed to 'SSL':

//VS changed to suppress IE redirect warning

tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')), 'SSL'));

}

if (!is_array($notify)) $notify = array($notify);

$size = sizeof($notify);

for ($i=0; $i<$size; $i++) {

$check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'");

$check = tep_db_fetch_array($check_query);

if ($check['count'] < 1) {

tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())");

}

}

//VS changed to surpress IE redirect warnings

tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')), 'SSL'));

} else {

$navigation->set_snapshot();

tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

}

break;

 

 

in catalog/checkout_success.php find below code and change

'NONSSL' to 'SSL':

 

$notify_string = '';

if (tep_session_is_registered('customer_id')) {

$notify_string .= 'action=notify&';

$notify = $HTTP_POST_VARS['notify'];

if (!is_array($notify)) $notify = array($notify);

$n = sizeof($notify);

for ($i=0; $i<$n; $i++) {

$notify_string .= 'notify[]=' . $notify[$i] . '&';

}

if (strlen($notify_string) > 0) $notify_string = substr($notify_string, 0, -1);

}

//VS changed to SSL to suppress IE redirect warning

tep_redirect(tep_href_link(FILENAME_DEFAULT,$notify_string,SSL));

Link to comment
Share on other sites

  • 1 month later...

ucpros,

 

I tried the last 3 lines of code for login.php and something very strange happened. my .htaccess file blew out, so when people went to the cart, it listed the contents of the files instead of the cart.

 

Although, it should direct to default.php???

 

Very strange. so I added the lines

 

DirectoryIndex default.php index.php index.htm index.html

 

back to my .htaccess, placed it in my /scart and restored a backup of login.php and everything was fixed again.

 

I admit, I hate having the MS warning come up, but a dead cart be no good.

 

Perhaps my hosting site killed it at the exact same moment and it was pure coincidence...unless anyone has had this happen, just curious and would really like the MS warning to split.

 

Cheers.

Link to comment
Share on other sites

The whole issue was fixed in CVS a long time ago by changing tep_href_link function in catalog/includes/functions/html_output.php.

 

Basiccally the change checks whether the current node is ssl. If it is it always returns links to ssl-pages. I have not seen any warnings after that.

 

Just be sure to use the functione everywhere.

Greetings from Marcel

|Current version|Documentation|Contributions|

Link to comment
Share on other sites

  • 2 weeks later...

sirvipe,

 

make sure '' in the lines to be changed in login.php are TWO single quotes

back to back, not one double quote.

 

Other than that I wouldn't know what that change could possibly

destroy your .htaccess file.

Link to comment
Share on other sites

ucpros,

 

That worked. I'm understanding PHP these days and realise apostrophe's are used in the code, even though someone may have used quotations, or appeared a such.

 

No more 'display insecure items', Thank GOD!

 

Thanks.

Link to comment
Share on other sites

  • 2 years later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...