Registration E-Mail with Non-Secure Link

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

Hi,
I noticed that when a customer registers, a welcome e-mail is sent out to the person and it has a non-secure link to the page that allows edits to the customer profile:

http://www.mycompany.com/productcart/pc/custPref.asp

Now, if the person is not logged in already, then this link actually takes the person to a secure login page first.  After logging in, they can proceed to the profile page which is also secure.

However, if they are already logged in and they click the non-secure e-mail link, then they are taken to the profile page which remains non-secure.

I know this would be a rare event, but if someone does click the link for convenience after they are already logged in, then they would be submitting personal information in a non-secure manner.  Is there any way to change this?

I could change the scStoreURL in the storeconstants.asp file, to use https instead of http, but that would affect other things as well.  I'm told this could cause mixed content errors.

By the way, I'm sorry to not list the version of ProductCart I'm using.  I'm just taking over a site and am not too familiar with it.  I can't seem to find anything that tells me where the version number is listed. Any suggestions?

Thanks.

Edited by SBW - 14-July-2011 at 10:34am

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
SBW Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 09-July-2011 Status: Offline Points: 0	Post Options Post Reply Quote SBW Report Post Thanks(0) Quote Reply Topic: Registration E-Mail with Non-Secure Link Posted: 09-July-2011 at 10:37am
	Hi, I noticed that when a customer registers, a welcome e-mail is sent out to the person and it has a non-secure link to the page that allows edits to the customer profile: http://www.mycompany.com/productcart/pc/custPref.asp Now, if the person is not logged in already, then this link actually takes the person to a secure login page first. After logging in, they can proceed to the profile page which is also secure. However, if they are already logged in and they click the non-secure e-mail link, then they are taken to the profile page which remains non-secure. I know this would be a rare event, but if someone does click the link for convenience after they are already logged in, then they would be submitting personal information in a non-secure manner. Is there any way to change this? I could change the scStoreURL in the storeconstants.asp file, to use https instead of http, but that would affect other things as well. I'm told this could cause mixed content errors. By the way, I'm sorry to not list the version of ProductCart I'm using. I'm just taking over a site and am not too familiar with it. I can't seem to find anything that tells me where the version number is listed. Any suggestions? Thanks. Edited by SBW - 14-July-2011 at 10:34am

intour Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 30-June-2006 Location: United Kingdom Status: Offline Points: 0	Post Options Post Reply Quote intour Report Post Thanks(0) Quote Reply Posted: 13-July-2011 at 5:05pm
	The login works on a session variable so they stay logged in during that browser session only though it will time out eventually. For the situation you described to become a securtity issue the person would have to leave his/her computer logged into his/her email and be still logged into the prodcutcart browser session and someone else would have to come along and click the link before it timed out. Nigel
	Innerview Productcart Platinum Reseller Web Design/Hosting/Virtual Tours

SBW Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 09-July-2011 Status: Offline Points: 0	Post Options Post Reply Quote SBW Report Post Thanks(0) Quote Reply Posted: 13-July-2011 at 7:06pm
	Actually, it's a security issue simply by the fact that data is being submitted in a non-encrypted matter. That's the only issue I'm concerned about. It has nothing to do with someone else coming by and getting into their session.