Notice of Combining Shopping Cart > Login > Secure Shopping Cart > Security Warning

[dharma]

I like the new 1.3.8a feature of being directed to the Shopping Cart to view cart items from the last visit and see the notice of combined items.

However, If an existing customer shops>goes to checkout (via login page) they land on an https secure shopping cart page, then when using the "update cart" button a security warning appears.

Aside from changing the admin setting of not going to the cart page (which I like), is there a way around the update cart button giving off a security warning?

[schoolboy]

A security warning appears when components of a HTTPS page are actually HTTP. This commonly occurs when remote http:// URL's are embedded into the page (either through hard-coding, or through being called via a script that has not pre-defined the link as https or SSL.)

If you are getting the warning, when it says "do you want to show the insecure items?" - - - choose "No".

In this way you will be able to see what the non-secure component of the page is - because it won't display.

Then you've narrowed down the offending http:// reference, and you can then look at how it can be changed - either by modifying the code calling the link, or by using https:// rather than http:// as the URL prefix.

[dharma]

Thank you for the tip! I didn't know about the trick about how to view what is non-secure.

For this page, the non-secure link is the ZC "update cart" action itself:

PHP Code:

<?php echo zen_draw_form('cart_quantity', zen_href_link(FILENAME_SHOPPING_CART, 'action=update_product')); ?>

If the shopping cart is in https (fresh off the login page), and the customer wishes to update their cart using the "update cart" button, that is what is giving the warning.

I have changed the above code to SSL which works, but then the shopping cart goes SSL after each update

I could be changing the wrong code...there are other references to the update cart button, that are beyond my knowledge on this page.

[DrByte]

Thank you for the tip! I didn't know about the trick about how to view what is non-secure.

There's an FAQ on that issue too: https://www.zen-cart.com/tutorials/i...hp?article=150

[dharma]

Thank you Dr. Byte, that is a good page for reference, I am aware of non-secure warnings due to img etc and full URL's. But my issue appears to be php ZC related, that is the update cart button sends the "update" as non SSL from a SSL page (if landing from login page (https: shopping cart) due to the Notice of Combining Shopping Cart setting.

Has anyone else noticed this? or have I got this all wrong?

[DrByte]

If you want your shopping cart page to be SSL when the "combined" action happens, change the NONSSL to SSL in this section of your /includes/modules/pages/login/header_php.php:

Code:

            if (SHOW_SHOPPING_CART_COMBINED == 1) {
              // show warning and send to shopping cart for review
              $messageStack->add_session('shopping_cart', WARNING_SHOPPING_CART_COMBINED, 'caution');
              zen_redirect(zen_href_link(FILENAME_SHOPPING_CART, '', 'NONSSL'));
            }