Addon Template Causing SSL Problems-How to track it down?

[machinerye]

I am getting a "this page includes other resources that are not secure" in Google Chrome, when attempting to load SSL pages. I switched to the classic template and the problem went away. Only in the past week have customers been contacting me saying the site is not secure. Not sure what has happened? I believe the template is "Bask Black". Here is the link the login page that has the error. (Remove spaces)
https://www.e w k a r m s.com/zen8/index.php?main_page=login
Viewing the source, and checking it on the website "why no padlock" it says there is a insecure form call on lines 531 and 571.
I can't figure out from looking at the "view source", which PHP file(s) need edited. (I think that's what needs done????)
Thank you so much in advance for any help, after much searching here on the forum and trying different things, I am at the hair pulling point!

[bislewl]

I am getting a "this page includes other resources that are not secure" in Google Chrome, when attempting to load SSL pages. I switched to the classic template and the problem went away. Only in the past week have customers been contacting me saying the site is not secure. Not sure what has happened? I believe the template is "Bask Black". Here is the link the login page that has the error. (Remove spaces)
https://www.e w k a r m s.com/zen8/index.php?main_page=login
Viewing the source, and checking it on the website "why no padlock" it says there is a insecure form call on lines 531 and 571.
I can't figure out from looking at the "view source", which PHP file(s) need edited. (I think that's what needs done????)
Thank you so much in advance for any help, after much searching here on the forum and trying different things, I am at the hair pulling point!

your advanced search bar isn't submitting to https
Try going to developers tool kit, use the last field on the bottom and search for "quick_find_header"
my guess is it will be in somethign like includes/templates/bask_black/common/tpl_header.php (or somethign similar)
and look for the zen_draw_form( and then change where the parameter reads 'NONSSL' change it to 'SSL'
That should resolve it.

OR in your configure.php from http:// to https:// in all the addresses.

[machinerye]

Thank you so much, its working now!!! The only thing I see now is that if you are on a SSL page, and you hit either the "New Products" or "Featured Products" link in the header, it takes you to a https page with the same error I had as before. (Some items are not secure) Any of the other links to a non SSL page are good of course, and if you hit the "my account" link or any other https link, its good, except the New Products or Featured Products (again, only in the header, the two of the same links in the side bar don't go to SSL)

As you might have seen, I don't have the catalog setup with SSL...I am far from an expert at this, but from what I have read, SSL is bad for search engine indexing.

So I think while not a perfect fix, this will be good as the pages where the customer enters personal data have no errors...

Thanks again!

[bislewl]

You also have an issue on your product listings across the board. You'll need to backtrack those as well.

Ideally you should find out if the request is over HTTP or HTTPS and then use NONSSL or SSL accordingly.

[mc12345678]

Thank you so much, its working now!!! The only thing I see now is that if you are on a SSL page, and you hit either the "New Products" or "Featured Products" link in the header, it takes you to a https page with the same error I had as before. (Some items are not secure) Any of the other links to a non SSL page are good of course, and if you hit the "my account" link or any other https link, its good, except the New Products or Featured Products (again, only in the header, the two of the same links in the side bar don't go to SSL)

As you might have seen, I don't have the catalog setup with SSL...I am far from an expert at this, but from what I have read, SSL is bad for search engine indexing.

So I think while not a perfect fix, this will be good as the pages where the customer enters personal data have no errors...

Thanks again!

So what was your method of getting this to mostly work? Modify a few files to properly generate ssl links as applicable or to wholesale try to make everything https?

[lat9]

You also have an issue on your product listings across the board. You'll need to backtrack those as well.

Ideally you should find out if the request is over HTTP or HTTPS and then use NONSSL or SSL accordingly.

Or simply use the $request_type variable that's preset to either NONSSL or SSL based on the current page access ...

[machinerye]

So what was your method of getting this to mostly work? Modify a few files to properly generate ssl links as applicable or to wholesale try to make everything https?

I used bislewl's instructions, and they worked perfectly, except as I mentioned, when SSL mode, and clicking on the two links in the header, you get the "some items unsecure" notice. However when in regular mode, no problems.

I didn't (or don't) want to make the whole catalog https for the potential to fall in search engine rankings. That is big for the customers to be able to find me.

Or simply use the $request_type variable that's preset to either NONSSL or SSL based on the current page access ...

Thank you so much for the tip, I am reading up on it now, and found this older thread on it for the "how to" (which I need!)-

http://www.zen-cart.com/showthread.p...warning/page10

[mc12345678]

I used bislewl's instructions, and they worked perfectly, except as I mentioned, when SSL mode, and clicking on the two links in the header, you get the "some items unsecure" notice. However when in regular mode, no problems.

Thank you for the reply, but bislewl provided instructions to accomplish both aspects. That said:

Code:

I didn't (or don't) want to make the whole catalog https for the potential to fall in search engine rankings. That is big for the customers to be able to find me.

indicates that the includes/configure.php file was not modified to have both HTTP_SERVER and HTTPS_SERVER set to https...

As for loss in rankings, I am not associated with any group that has knowledge of how the rankings are currently determined; however, there is one search engine that is pushing for all websites to use https for all web-pages... As part of that, it would seem that the search engine actually favors https web pages over those that are not...

The general/predominant philosophy of those in this forum has been that there should be a need to encrypt the contents of the pages, the most basic need is programmed into ZC at pages such as contact_us, the various checkout pages, login, etc... where effort should be made to encrypt/obscure personal information. Part of the reason not to encrypt every page is that the process uses more computer time and resources, and in the case of presenting say "HI, Welcome to our store." where there is nothing of significance to compromise, then why slow down/burden everything to display that information?

Anyways, this post is likely to bring up more discussion regarding this aspect of the thread, but I thought that I would at least point out that there is/soon to be a change/shift in philosophy about using https to serve pages. There are definite business/legal needs for various pages to be secured, but beyond that is well... subjective.

[bislewl]

A quick search turned up this:
http://googlewebmastercentral.######...ng-signal.html

For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

Sound to me it improves your search ranking

[mc12345678]

A quick search turned up this:
http://googlewebmastercentral.######...ng-signal.html



Sound to me it improves your search ranking

And that was the search engine to which I was referring and why I brought it up... It is relatively new that they have gone that route and it appears to still be under review, but the more such a "truth" is told, the more it becomes true...