I noticed that when a customer registers, a welcome e-mail is sent out to the person and it has a non-secure link to the page that allows edits to the customer profile:

http://store.stonewellbodies.com/productcart/pc/custPref.asp" rel="nofollow - Now, if the person is not logged in already, then this link actually takes the person to a secure login page first.  After logging in, they can proceed to the profile page which is also secure.

However, if they are already logged in and they click the non-secure e-mail link, then they are taken to the profile page which remains non-secure.

I know this would be a rare event, but if someone does click the link for convenience after they are already logged in, then they would be submitting personal information in a non-secure manner.  Is there any way to change this?

I could change the scStoreURL in the storeconstants.asp file, to use https instead of http, but that would affect other things as well.  I'm told this could cause mixed content errors.

By the way, I'm sorry to not list the version of ProductCart I'm using.  I'm just taking over a site and am not too familiar with it.  I can't seem to find anything that tells me where the version number is listed. Any suggestions?

Thanks.

 

For the situation you described to become a securtity issue the person would have to leave his/her computer logged into his/her email and be still logged into the prodcutcart browser session and someone else would have to come along and click the link before it timed out.

 

Nigel