Steps in using secure pages

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Hi folks,

OK I have read the WIKI and followed many extra links and got as much info as I can. My question is, what is supposed to happen when switching between non-secure and secure pages?
I enter my store through the front door, via non-secure page(http://www......). I add a few items to my cart. I proceed to checkout and switch to the secure page(https://www......). At this point, when are the pages supposed to switch back to non-secure? If I proceed to the checkout then the secure page is being used but if I go back to the home page, via header link default.asp (absolute I think it's called) before finishing the checkout it retains the https://www... and I am now returned back to a secure home page(https://www.mystore.com/myhomepage.asp). How do I get this to default back to the original non-secure page?

I believe it was the WIKI that stated the includes/storeconstants.asp file needs to have the same url as entered in the control panel under Store Uses SSL url. In my case it would be https://www.mystore.com. If I set the storeconstants.asp to use the same url then all my category navigation, once generated, defaults to secure pages.
I am trying to get my provider to set the “New ID On Secure Connection (keepSessionIdSecure)” setting to false in IIS7. Would this have anything to do with it?  I understand the other issue related to the cart items being lost but I do not know if this issue would be related to that setting.

Or would I have to make sure that the links on my header.asp all have full links, with the http:// ?

I hope that made sense.
Thanks.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Rick_N Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 11-August-2006 Location: Canada Status: Offline Points: 0	Post Options Post Reply Quote Rick_N Report Post Thanks(0) Quote Reply Topic: Steps in using secure pages Posted: 18-April-2010 at 11:23am
	Hi folks, OK I have read the WIKI and followed many extra links and got as much info as I can. My question is, what is supposed to happen when switching between non-secure and secure pages? I enter my store through the front door, via non-secure page(http://www......). I add a few items to my cart. I proceed to checkout and switch to the secure page(https://www......). At this point, when are the pages supposed to switch back to non-secure? If I proceed to the checkout then the secure page is being used but if I go back to the home page, via header link default.asp (absolute I think it's called) before finishing the checkout it retains the https://www... and I am now returned back to a secure home page(https://www.mystore.com/myhomepage.asp). How do I get this to default back to the original non-secure page? I believe it was the WIKI that stated the includes/storeconstants.asp file needs to have the same url as entered in the control panel under Store Uses SSL url. In my case it would be https://www.mystore.com. If I set the storeconstants.asp to use the same url then all my category navigation, once generated, defaults to secure pages. I am trying to get my provider to set the “New ID On Secure Connection (keepSessionIdSecure)” setting to false in IIS7. Would this have anything to do with it? I understand the other issue related to the cart items being lost but I do not know if this issue would be related to that setting. Or would I have to make sure that the links on my header.asp all have full links, with the http:// ? I hope that made sense. Thanks.
	EveningSecrets Lingerie...what 'every body' wants EveningSecrets Lingerie

Greg Dinger Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 23-September-2006 Location: United States Status: Offline Points: 238	Post Options Post Reply Quote Greg Dinger Report Post Thanks(0) Quote Reply Posted: 18-April-2010 at 11:29am
	Rick - in your header.asp, footer.asp and possibly others (small search, small cart, etc.) you need to hard-code URLs to HTTP or HTTPS according to where you want to pooint the browser when someone clicks a link. storeconstants has nothing to do with this, and I cannot think of a reason you would want HTTPS in that file. Please note that I emphasize URLs. DO NOT hard-code images, css, JS or other physical objects. Only page URLs.

Rick_N Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 11-August-2006 Location: Canada Status: Offline Points: 0	Post Options Post Reply Quote Rick_N Report Post Thanks(0) Quote Reply Posted: 18-April-2010 at 1:14pm
	Thanks Greg, I'll change the links. I assumed this was the way but wanted to clarify. On the note of changing the storeconstants.asp, perhaps I read it wrong but the page I viewed is here: http://wiki.earlyimpact.com/developers/timeout-issues#iis7 and the lines I read are added below, particularly the one in blue. Make sure that the file “includes/storeconstants.asp” contains the correct URL Make sure that the SSL URL under Settings > Store Settings is correct and consistent with the URL in “storeconstants.asp” Make sure that the Home Page URL under Settings > Store Settings is correct and consistent with the URL in “storeconstants.asp Thanks for clearing things up. Rick
	EveningSecrets Lingerie...what 'every body' wants EveningSecrets Lingerie

Greg Dinger Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 23-September-2006 Location: United States Status: Offline Points: 238	Post Options Post Reply Quote Greg Dinger Report Post Thanks(0) Quote Reply Posted: 18-April-2010 at 1:19pm
	storeconstants should reference HTTP, not HTTPS. As you are looking at your overall set of changes, I like to go to wherever there is a link that will lead to a login, and change it to HTTPS if that's not already happening as a result of EI's code. This will overcome the eventual red flag you will encounter when you attempt PCI compliance tests.

benpate Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 15-February-2007 Location: United States Status: Offline Points: 0	Post Options Post Reply Quote benpate Report Post Thanks(0) Quote Reply Posted: 21-April-2010 at 12:43pm
	The problem is that you have a RELATIVE link NOT an absolute one. Relative - /productcart/pc/home.asp Absolute - http://www.domain.com/productcart/pc/home.asp Change to Absolute version and it will go to the unsecure page...unless you code it that way :)
	ProductCart SEO - Resellers and Affiliates welcome

Rick_N Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 11-August-2006 Location: Canada Status: Offline Points: 0	Post Options Post Reply Quote Rick_N Report Post Thanks(0) Quote Reply Posted: 21-April-2010 at 2:57pm
	Actually the problem was not to do with the security warning when changing from Secure to Non secure pages. The problem was I did not want to have the site using HTTPS when it didn't need to. I answered my own question with Greg's confirmation. Many thanks though for adding your point.. Rick
	EveningSecrets Lingerie...what 'every body' wants EveningSecrets Lingerie

Rick_N Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 11-August-2006 Location: Canada Status: Offline Points: 0	Post Options Post Reply Quote Rick_N Report Post Thanks(0) Quote Reply Posted: 21-April-2010 at 2:59pm
	Oops, I misunderstood my own thinking. Yes that was the problem. Once I coded the header links correctly all is fine. However, there were a heck of a lot more that you have to find as you are testing. Custpref.asp is a good example. Rick
	EveningSecrets Lingerie...what 'every body' wants EveningSecrets Lingerie