Question about https in Contact Form

[Athens Collectibles]

Good day,

I have purchased a dedicated IP address and an SSL Certificate which I haven't installed yet. Before installing the SSL Certificate, I tried to confirm that my Zen Cart installation is correctly configured for SSL support and followed the instructions in the book "e-Start Your Web Store with Zen Cart" to the letter.

I have a local XAMPP installation and enabled SSL for the front-end store and the Admin area. With one exception, everything appears to work fine, that is the secure connection is automatically switching on and off as I enter and exit the login and checkout pages. As explained in the book, there are warnings about the validity of the certificate, but that's expected.

The only exception is that the contact form seems to be insecure. I have my own custom contact form on page http://athenscollectibles.info/index...page=contactus and I originally thought that the different page name prevented SSL to be enabled. However, when I manually changed the page name in the address bar to contact_us (with an underscore), I was transferred to the default Zen Cart form but in http rather than https.

Is there any change or addition required to the configure.php file to enable https in the contact page or is that impossible, in which case a customer might hesitate to enter personal details like email address in the form?

A few lines from my configure.php file are as follows, in case someone finds an error or has a suggestion:

PHP Code:

  define('HTTP_SERVER', 'http://www.example.com');
  define('HTTPS_SERVER', 'https://www.example.com');

  // Use secure webserver for checkout procedure?
  define('ENABLE_SSL', 'true');

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
  // these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
  define('DIR_WS_CATALOG', '/teststore/');
  define('DIR_WS_HTTPS_CATALOG', '/teststore/'); 


Many thanks in advance for any assistance or guidance.

[RodG]

The only exception is that the contact form seems to be insecure. I have my own custom contact form on page http://athenscollectibles.info/index...page=contactus

Change this to https://athenscollectibles.info/inde...page=contactus and it should be SSL encrypted.

This is the 'http" vs "https" that makes the difference.

Cheers
Rod

[Athens Collectibles]

Thank you for the quick reply Rod.

This works, but only if the https is entered manually in the URL bar. What I was looking is for an automatic transition to https when the Contact Us link in the side box was clicked, like it happens when the Login link is clicked.

I think I found the solution but would like somebody to confirm that my change is not bulls**t: I changed the two lines in the /includes/modules/sideboxes/my_template/information.php from

PHP Code:

if (DEFINE_CONTACTUS_STATUS <= 1) {
    $information[] = '<a href="' . zen_href_link(FILENAME_CONTACTUS) . '"><img src="images/design/howtocontactus.png" alt="" />&nbsp;' . BOX_INFORMATION_CONTACTUS . '</a>'; 


to

PHP Code:

if (DEFINE_CONTACTUS_STATUS <= 1) {
    $information[] = '<a href="' . zen_href_link(FILENAME_CONTACTUS, '', 'SSL') . '"><img src="images/design/howtocontactus.png" alt="" />&nbsp;' . BOX_INFORMATION_CONTACTUS . '</a>'; 


Is that valid or should I despair? I know nothing of php but found something similar in the tpl_header.php that gave me the idea. If the above change is correct, does it mean that I can extend it to other pages, although I can't think of any at the moment.

[RodG]

I think I found the solution but would like somebody to confirm that my change is not bulls**t: I changed the two lines in the /includes/modules/sideboxes/my_template/information.php

Seems to me that you found the perfect/ideal solution. Well done!!

Cheers
Rod.

ps. I base my comments only on what I see.. the zencart devs will have a better insight as to any possible unforeseen side effects than I do, so if they say anything to the contrary you should take their word and not mine.
If they say nothing then you can assume they agree with my comments :-)

[Athens Collectibles]

If they say nothing then you can assume they agree with my comments :-)

I hope it's because they agree and not that they haven't seen this thread

Thank you again for your advice and have a nice evening. It should be quite late in your place now.

[RodG]

I hope it's because they agree and not that they haven't seen this thread

Thank you again for your advice and have a nice evening. It should be quite late in your place now.

Rest assured, they'll see it. They see everything

Late? Nah... tis only 3:30am .... Time to call it a night I think.

Cheers
Rod

[Athens Collectibles]

Time to call it a night I think

Or a day?

[voluntaryist.only]

That is fantastic, I've been looking for a fix to the standard contact form to secure it, to pass PCI-DSS requirements & This works a treat! well done that zenner! I am probably not the only one either, (still using 1.3.9H)

You Da Man!

many thanks,

regards,

ed

[DrByte]

What's really stupid with all this is that if making that change will cause an otherwise-failing PCI scan to pass, then the PCI scanner is full of crap.

Having https in the URL only secures the DISPLAY of the page's content.

If they actually wanted to secure the SUBMITTED data, then they would require that the <form action="http...> be changed to an https URL.

But since they apparently don't actually care about that, then the whole idea of encrypting the contact-us page is just a pile of crap ... a way for scanning companies to attempt to justify their existence.