Security Warnings from browsers

[pfabrick]

I have a wholesale site that is for approved retail customers only and they have to log in to view the prices. I'm having problems with browsers displaying error messages...

In Firefox, the problem I'm having is when they login, they're still on the https (secure) - so when they click on a manufacturer or submit a search, they get a popup security warning from their browser stating that "although this page is encrypted, the information is being sent over an unencrypted connection". This error does not occur when clicking on anything else - directly on a product, on the shopping cart, one of the information links, or a category.

In IE7, I get a little nicer warning at the top of the page stating that for security purposes, IE has blocked display of images that are not secure. This includes my heading images for my boxes.

Any ideas on what I could do to avoid these errors? Unfortunately, these type of warnings really scare customers. I'd be happy to provide account info to anyone who want to see these errors in action.

Thanks for your help!
Patti

[Ajeh]

Any submit that is going from secure to non-secure will throw a warning ...

You could set your side boxes to have the submits when the page is non-secure ... and a link to non-secure page when the secure is active to prevent this ...

[pfabrick]

Oooh, Ajeh...you got some wheels turning now. Thanks for the kick-start! I'll do some fiddling around and let you know what I come up with.

Patti

[pfabrick]

OK, here's what I came up with...I surrounded the form tag and the submit button with an if statement to determine if we're in https....the form tag has to be included due to the enter key automatically submitting the form. I used JS because we needed to get the value from the text box to dynamically define the link. Here's the code from tpl_search.php...

PHP Code:

 $content = "";
  $content .= '<div id="' . str_replace('_', '-', $box_id . 'Content') . '" class="sideBoxContent centeredContent">';
  if ($_SERVER["HTTPS"]) {//yes, this is a secure page
      $content .= zen_draw_form('quick_find', 'JavaScript:window.location="http://www.mywebsite.com/index.php?main_page=advanced_search_result&search_in_description=1&keyword=" + document.quick_find.keyword.value', 'get');
  }else{
      $content .= zen_draw_form('quick_find', zen_href_link(FILENAME_ADVANCED_SEARCH_RESULT, '', 'NONSSL', false), 'get');
  }
  $content .= zen_draw_hidden_field('main_page',FILENAME_ADVANCED_SEARCH_RESULT);
  $content .= zen_draw_hidden_field('search_in_description', '1') . zen_hide_session_id();

  if (strtolower(IMAGE_USE_CSS_BUTTONS) == 'yes') {
    $content .= zen_draw_input_field('keyword', '', 'size="18" maxlength="100" style="width: ' . ($column_width-30) . 'px"') . '<br />';
    if ($_SERVER["HTTPS"]) {//yes, this is a secure page
        $content .= '<a href=\'JavaScript:window.location="http://www.mywebsite.com/index.php?main_page=advanced_search_result&search_in_description=1&keyword=" + document.quick_find.keyword.value\' name="searchLink">Search</a>';
    }else{
        $content .= zen_image_submit (BUTTON_IMAGE_SEARCH,HEADER_SEARCH_BUTTON);
    }
    $content .= '<br /><a href="' . zen_href_link(FILENAME_ADVANCED_SEARCH) . '">' . BOX_SEARCH_ADVANCED_SEARCH . '</a>';
  } else {
      $content .= zen_draw_input_field('keyword', '', 'size="18" maxlength="100" style="width: ' . ($column_width-30) . 'px" value="' . HEADER_SEARCH_DEFAULT_TEXT . '" onfocus="if (this.value == \'' . HEADER_SEARCH_DEFAULT_TEXT . '\') this.value = \'\';" onblur="if (this.value == \'\') this.value = \'' . HEADER_SEARCH_DEFAULT_TEXT . '\';"') . '<br />';
      if ($_SERVER["HTTPS"]) {//yes, this is a secure page
        $content .= '<a href=\'JavaScript:window.location="http://www.mywebsite.com/index.php?main_page=advanced_search_result&search_in_description=1&keyword=" + document.quick_find.keyword.value\' name="searchLink">Search</a>';
    }else{
        $content .= '<input type="submit" value="' . HEADER_SEARCH_BUTTON . '" style="width: 50px" />';
    }
    $content .= '<br /><a href="' . zen_href_link(FILENAME_ADVANCED_SEARCH) . '">' . BOX_SEARCH_ADVANCED_SEARCH . '</a>';
  }

  $content .= "</form>";
  $content .= '</div>'; 


I'm sure this could be cleaner but I've found that it's easier for future upgrades this way. Of course, this is in my template override directory! It works like a charm unless JS is disabled - checked in FF1.5, IE7 and Opera9. I'll add a button image in the link to make it look prettier.

Any ideas on how to check if JS is disabled, so we could display the original elements (even though they'd get a security warning)? In my test case, which was writing the html code directly, I used <noscript> tags to write out the original elements, then checked for the existence of that element before writing the JS version. It works great...but I don't think that'll work with the search sidebox template due to the way it's developed as a string.

Next is the manufacturer's sidebox!!

Patti

[pfabrick]

OK, the manufacturers sidebox was super-easy! Here are the changes to the tpl_manufacturers_select.php file (again - saved in my template override directory):

PHP Code:

$content.= zen_draw_form('manufacturers', 'JavaScript:window.location="http://www.mywebsite.com/index.php?main_page=index&manufacturers_id="+document.manufacturers.manufacturers_id.value', 'get'); 


Just that one line change and it works like a charm! Same issue with the JS being disabled although this sidebox already had that issue due to the onchange event calling this.form.submit().

[stagebrace]

I have tested a second solution. I changed the variable "NONSSL" to "SSL" for the files related to search. The resulting search page shows up as secure but at least there is no warning box displayed to the customer.

[Ajeh]

Don't do that ...

Forcing secure all of the time is not a good idea ...

To fix this, you need to change 20+ files ...

Somewhere is a thread explaining it that I just made ...

[Ajeh]

This one ...
http://www.zen-cart.com/forum/showthread.php?t=56885

[stagebrace]

Thank you.
I changed it to $request_type. With my super simple template /setup I only need to change one file.

[Ajeh]

umm ... really play with the navigation ... you'd be amazed the patterns one can follow to produce the warning ...