Security warning when search right after log in

[cochlear]

This problem is different to that discussed in the "This page contains both secure and nonsecure items" FAQ.

Right after I log in (over SSL), if I do a search, FF2, FF3, and Opera (amazingly not IE this time) give me a security warning as below:

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

Search is normally non-SSL, so I guess that warning makes sense.

But this warning does not occur if I do: log in --> click a category. Obvously this is much more desirable.

I would really like this sorted out. So please, anyone, help!

I can duplicate this on the classic template, so I'm "assuming" this comes with ZC 1.3.8a.

[kobra]

Where can this be seen?

Not generally part of Zen Cart as there are many many installs not throwing this error

[ink]

Hi Cochlear

Same problem here dude.......Firstly I am no code Guru, everthing I have doctored I've had to poke around with for hours.....no years literally to achieve what I want!

I think you are obviously right in terms of it being a Firefox etc problem. I also think it would help to make the target of the form secure. Maybe with some sort of if condition to only do that if the existing page is https?

On my site on page tpl_product_info_display.php I have the code:

<?php echo zen_draw_form('cart_quantity', zen_href_link(zen_get_info_page($_GET['products_id']), zen_get_all_get_params(array('action')) . 'action=add_product'), 'post', 'enctype="multipart/form-data"') . "\n";


I am sure this is what needs doctoring and that these code experts which hang about on this forum could solve this problem in a few minutes. Having said that I will try and solve the problem and get back to you as I know they are very busy people and do their best to solve everybodies problems.

All this said and done I could be 'barking up the wrong tree' so it would be good if someone in the know could point us in the right direction.

[Website Rob]

This would be classified as a Browser specific problem. Zen Cart is operating exactly as it should; when login is over SSL as all Search functions use a non-SSL connection.

Some Browsers, like Mozilla, FF, Opera, have a Default setting to warn when information entered into a form using an SSL connection will return results using a non-SSL connection. Turn that setting to OFF and msg. goes away.

Something for the Zen Cart Developers to think about for upcoming versions but not sure what can done about it now.

[ink]

when login is over SSL as all Search functions use a non-SSL connection.

That is a bummer. As we all know any sort of 'security' problem freaks a percentage of uneasy people out.

Let's remember these are people who are moments away from giving their card details over, and messages such as

the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Translates into "if you put your card details in this website your account will be empty by the morning!"

[Website Rob]

Not sure where you get that from?

Checkout pages are done using SSL (if enabled) and there is no such error msg.

[cochlear]

OK after more through search I've found a fix provided by Ajeh in this thread (bottom of page):

http://www.zen-cart.com/forum/showth...t=56885&page=2

It works by replacing "NONSSL" in the template file with "$request_type". I'm not a php coder but after some experimentation I think this code change makes the search SSL when you are still in a https connection. If you are not in https then the search will do nonssl, as it normally does.

It works quite well, except that Ajeh also said:

And don't forget the other 20+ files that also must be addressed

So I'd better uncover those...

[Website Rob]

cochlear, nice use of the Forum 'Search' function, finding that thread.

Doing my own follow-up and contrary to what Linda mentioned, I could only find 6 files needing changing. This is based on using the end of the Form expression 'NONSSL', false), 'get'); and searching within all Zen Cart files for v1.3.8a

includes/templates/template_default/sideboxes/

tpl_manufacturers_select.php line 13
tpl_music_genres_select.php line 13
tpl_record_company_select.php line 13
tpl_search.php line 13
tpl_search_header.php line 12
tpl_tell_a_friend.php line 13

If you find anymore though, please update this thread and we can keep them all in one place.

[ink]

Well done on solving your sidebox issues. Somehow I'd already come up with a solution to that back along which wasnt as good I expect (checking to see if their session was a logged in customer or not and giving the relevent URL)

Have you noticed though that there is no SSL or NONSSL to change in the form creation code that I mentioned on the product_info page in my original post?

Dont know if you still have that problem?

Try >>logging in >> searching for a product >> adding it to basket

Thats when I get the error.

I'm sure the zen_get_all_get_params(array('action')) part of the code is choosing to use http even when logged in - any ideas anyone?

I suppose I should add that back along I upgraded my search to go directly to the product info or category page if there was only one result for either.

[ink]

I'm sure the zen_get_all_get_params(array('action')) part of the code

Sorry I mean zen_href_link(zen_get_info_page($_GET['products_id'])

I'll change it to my crude $session['customer_id'] fix but again I'm sure that isnt the best way