SSL at Admin and images

[Chepster]

Hello Everyone,

I just got Private SSL and now I have 2 questions:

1. When I login at the Admin site, I now access the https://www.mydomain.com/admin. Once in the admin area, when I click another link within Admin i.e. customers, orders, etc... I am immediately out of the secure area as in http://www...... Is this correct? Are my transactions still safe? In the configure.php (Admin) I have specified SSL enable at Admin and Catalog.

2. I have 2 banners before having SSL. Now I added a new sidebox with images. Why is it when I login, that means entering the secure area, I get a popup warning regarding the page containing both secure and non-secure images. Every single click I make this warning message appears. So I realised that it is because of the 2 new images that I have added in the side box. These images are saved in the same folder (images/banners) like the old banners which doesn't give me a warning.

Okay the 2 old images are banners and the 2 new ones are in the sidebox, I don't know if it matters.

Is there any logical explanation to this or did I do anthing wrong? What should I do to stop this warning messages?

Many thanks again for all your help.

Chepster

[Merlinpa1969]

Yes that is correct, only the login is secure in admin,


for the other issue you have the image sin the side box hard coded,

thats why the error,

[Chepster]

Thanks Merlinpa1969,

1. If this is correct, is this secure?
2. How do I solve this issue?

Thanks again,

Chepster

[schoolboy]

If you've hard-coded the links to images (or any other resource) it "technically" means that the client's browser must go "outside" of the server to retrieve them. So if you have resources that are "fetched" using a FULL URL (http://www.somesite.com/images/image_one.jpg), then the browser (usually IE) will indicate that some items are insecure (they've been fetched from outside the https server), do you want to display insecure items?

This happens even when the resource you are "fetching" is housed on your own server - the FULL URL will tend to call up that "insecure items" popup.

Best is to put ALL images into the IMAGES folder in the top-level directory of your webshop (or a sub-directory in that IMAGES folder) and then NOT use FULL URL calls to that resource.

As Zencart will strip into ALL pages (in the <HEAD> </HEAD> section) the legend:-

<base href="http://www.yourshop.com"> (or something like this)

... you can set the path to images simply as:-

<img src="images/image_one.jpg"> OR

<img src="images/food/custard_pie.jpg>

... the BASE HREF reference in the header provides the rest of the path to the resource.

Naturally, if the images (or resources) you are calling DO entirely reside on a remote server (ie: not inside your webshop directories on YOUR server) then it will always prompt the viewer that there are insecure items when moving into https.

Either get rid of remote resource calls, or place those resources inside directories in your webshop, and don't create FULL URL links to them.

[Chepster]

Many thanks Schoolboy,

It worked like MAGIC!!! As a newbee such explanation is highly appreciated! Thank you very much again!

Cheers,

Chepster

[schoolboy]

Pleasure... I had this issue a few months ago and battled to resolve it! Good luck with your store!

PS. Get Goh Koon Hoek's new book... Your webshop will soon look ultra-professional!

[sc0rpiongirl]

It was a great tip but it still didn't help my pain ...I used "Developer's Tool Kit" to search for any possible hard-coded lines and tried to change them properly, which I thought I did, but I still had that annoying "page contains secure and nonsecure...blah blah blah"...I clear my browser cache completely to test as well...so far no luck.

There isn't instance that I could find in my files that contains hardcodes.

Is there a way to find out potential hidden unchanged lines?

Any help would be greatly appreciated.

[Merlinpa1969]

do you have the google code installed?

[Chepster]

What I did are the following:

When I enter the secure site and get the warning message, I denied it by clicking NO. Then I can see which image is unsecure. Right click at the empty picture frame to see properties to find the path.

In my case as it was the new side box that I added, so it was located in ..../includes/templates/CUSTOM/sideboxes/tpl_new_sidebox.php. Where I added http://www.mydomain.com ......./includes/........... I just replaced it as suggested above.

I hope this will help you.

[schoolboy]

do you have the google code installed?

Merlin makes a good point... Some people hard-code Google Analytics into the footer, for example...

The point is simply this:-

When your visitor is taken into HTTPS, his/her browser will cobble the page together based on the resources called through the HTML. If any of these resources are called by a hard-coded FULL URL, it will prompt the viewer that the page contains insecure elements.

To avoid the "insecure items" popup alert, don't use hard-coded URL's in your HTML.