I am getting the security alert: "You are about to be directed to a connection that is not secure. the information you are sending to the current site might be transmitted to a non-secure site. Do you wish to continue?" when I try to login as a customer on my clients oscommerce website. I noticed the link in the status bar goes from a https prefix to a nonsecure http prefix. The site has a SSL certificate, so how do I ensure the entire store portion of the site directs to the secured site?
+3
A:
It is likely that some parts of the page, most often images or scripts, are loaded non-secure. You'll need to go through them in the browser's "view page source" view one by one and eliminate the reason (most often, a configuration setting pointing to http://).
Some external tools like Google Analytics that you may be embedding on your site can be included through https://, some don't. In that case, you may have to remove those tools from your secure site.
If you can't switch all the settings, try using relative paths
<img src="/images/shop/xyz.gif">
but the first thing is to identify the non-secure elements using the source code view of your browser.
An immediate redirection from a https:// page to a http:/ one would not result in a warning as you describe. Can you specify what's up with that?
Pekka
2009-12-31 18:50:52
Sure, if you go to https://balancedecosolutions.com/products//catalog/login.php and login as a customer. I have setup [email protected] as the user name and test123 as the password. You'll see the message (IE6) when you try to login.
me
2009-12-31 19:13:06
The login doesn't work for me.
Pekka
2010-01-01 19:10:33
+1
A:
Ensure that the following are included over https:
- css files
- js files
- embedded media (images, videos)
If you're confident none of your own stuff is included over http, check things like tracking pixels and other third-party gadgets.
Edit: Now that you've linked your page, I see that your <base> tag is the problem:
<base href="http://balancedecosolutions.com/products//catalog/">
Change to:
<base href="https://balancedecosolutions.com/products//catalog/">
BipedalShark
2009-12-31 18:51:44
Thanks shark... the only reference to that that I can find is a line of code like this: <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
me
2009-12-31 19:58:05
Hopefully the OSCommerce software has an option for always using `HTTPS_SERVER`. If not, try editing that line:`<base href="<?php echo HTTPS_SERVER . DIR_WS_CATALOG; ?>">`
BipedalShark
2009-12-31 20:12:47
+2
A:
Use Fiddler and browse your site, in the listing it should become evident what is using HTTP and HTTPS.
Brian Schmitt
2009-12-31 19:02:43
Jon Galloway talks about this in one of his blog-posts: http://weblogs.asp.net/jgalloway/archive/2009/10/15/did-you-know-about-protocol-relative-hyperlinks.aspxTL;DR - pre-pend it with // rather than http(s)
Brian Schmitt
2009-12-31 20:15:07
A:
It sounds to me like the HTML form you are submitting is hardcoded to post to a non-secure page.
Shea Daniels
2009-12-31 19:14:45
A:
If the suggestion from Pekka doesn't suit your needs you can try using relative links based on the schema (http or https):
e.g.,
<a href="//www.example.com/mypage.html">I am a 100% valid link!</a>
The only problem with this technique is that it doesn't work with CSS files in all browsers; though it does work within Javascript and inline CSS. (I could be wrong here; anyone want to check?).
e.g., the following :
<link rel="stylesheet" href="/css/mycss.css" />
<!-- mycss.css contents: -->
...
body{
background-image:url(//static.example.com/background.png);
}
...
...might fail.
A simple Find/Replace on your source code could be easy.
David Murdoch
2009-12-31 19:33:44